Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 162 discussion

Actually both A and B would work. https://aws.amazon.com/blogs/networking-and-content-delivery/secure-hybrid-access-to-amazon-s3-using-aws-privatelink/ With B, you would need to set up PHZ as well.

A - the key to this configuration is "...to privately access AWS resources". This would remove option B as it is setting up for a public IP addressing use. This link shows using Public and Private IP Address configurations For the Private, it is using a VPC Interface Endpoint and doesn't require the inbound Resolver endpoint.

When you configure an interface VPC endpoint, an elastic network interface (ENI) with a private IP address is deployed in your subnet. An Amazon EC2 instance in the VPC can communicate with an Amazon S3 bucket through the ENI and AWS network. Using the interface endpoint, applications in your on-premises data center can easily query S3 buckets over AWS Direct Connect or Site-to-Site VPN. Interface endpoint supports a growing list of AWS services. Consult our documentation to find AWS services compatible with interface endpoints powered by AWS PrivateLink. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/

Ans: A S3 Interface Endpoint: By creating an S3 interface endpoint within the VPC, the company can establish a private connection to S3 buckets without traversing the public internet. Route 53 Resolver (Implicit): VPC endpoint DNS names inherently resolve through Route 53 Resolver within the VPC. No explicit configuration for a separate Route 53 Resolver inbound endpoint is required. On-premises Application Update: Updating the application configuration to utilize the Regional VPC endpoint DNS hostname mapped to the S3 interface endpoint allows the application to connect to S3 through the private connection. B. Route 53 Resolver Inbound Endpoint (Unnecessary): While Route 53 Resolver can be used for DNS resolution within a VPC, in this case, the VPC endpoint DNS name itself resolves through Route 53 Resolver implicitly. Setting up an additional inbound endpoint is not required.

D. S3 uses GW endpoint. So between B and D -> D

Correct answer is B. The question says "..... without using the public IP address space? " Use a private IP address over Direct Connect (with an interface VPC endpoint)

https://repost.aws/knowledge-center/s3-bucket-access-direct-connect No need to inbound resolver. it is enough with the interface DNS hostname

A it's not correct because if you configure your local DNS to forward s3 dns queries to S3 VPC Endpoints you will not reach the private vpc endpoints without tells to your dns server how to reach it

This solution maintains the use of private IP address space and avoids the need for public IP addresses. It ensures that the on-premises applications can securely access Amazon S3 in the us-west-2 Region without relying on public internet connectivity. Options A and D are incorrect because they refer to S3 interface endpoints without involving Route 53 Resolver, which is necessary for DNS resolution. Option C mentions an S3 gateway endpoint, but S3 gateway endpoints are used for accessing S3 from on-premises environments, not for VPC-to-S3 communication.

You dont need an inbound endpoint, it can be resolved on any public dns resolving to the private IP of the endpoint, that because the endpoint domain name is Public ( *vpce.amazonaws.com)

The answer is A. You don't need to have an inbound endpoint in order to resolve the DNS. The endpoint DNS names can be resolved from anywhere but they will resolve to the private IPs. You can try to create an endpoint and resolve it from your PC ;)

B - https://aws.amazon.com/blogs/networking-and-content-delivery/secure-hybrid-access-to-amazon-s3-using-aws-privatelink/

B - agreed, gateway endpoint is available within the VPC

https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html

https://repost.aws/knowledge-center/s3-bucket-access-direct-connect