Exam AWS Certified SysOps Administrator - Associate topic 1 question 407 discussion

PrivateLink allows you to privately access services hosted on AWS in a scalable and secure manner. By creating an interface endpoint for the Lambda function, you can establish a private connection between the Lambda function and the RDS database without exposing it to the public internet.

The Lambda function needs to be configured to access resources within the VPC. By default, when you create a Lambda function, it is not connected to any VPC, which is why you would select B. AWS PrivateLink allows you to privately access services across VPCs and accounts. However, it is typically used to access AWS services or to create private connections to your own services. In this scenario, creating an interface endpoint (PrivateLink) would not be relevant if we're referring to a traditional database hosted on an EC2 instance or an RDS instance without its own PrivateLink-enabled endpoint.

B is a classic solution of Lambda <-> Private RDS within the same VPC A works but is not necessary

My explanation for A would be: Since the RDS is now in private Subnet, it will have an endpoint that will resolve to Private IP inside the VPC. When AWS Lambda tries to connect to RDS instance, it will use the RDS endpoint, but since DNS is in private subnet, Lambda cannot reach from Internet to this Private subnet. Hence, keeping the traffic inside VPC becomes viable using PrivateLink. Creating a Lambda Endpoint will allow the traffic of Lambda to stay inside of AWS within the VPC where it would be created and will allow seamless connectivity to other services inside the VPC.

I think A

AWS PrivateLink interface endpoints are two-way connections. They allow resources within a VPC to securely connect to services offered by AWS services or other VPCs through PrivateLink. This means traffic can flow in both directions: Outbound: The Lambda function can initiate requests to the database's private endpoint. Inbound: The database can potentially respond back to the Lambda function (although this is less common).

It is B. You want to place the lambda in the DB VPC.

I think A AWS Lambda now supports AWS PrivateLink which lets you create, manage, and invoke Lambda functions securely from inside your virtual private cloud (VPC) or on-premises data centers without exposing traffic to the public Internet. https://aws.amazon.com/blogs/aws/new-use-aws-privatelink-to-access-aws-lambda-over-private-aws-network/

Its answer C. As every lambda needs permissions to access resources inside a vpc: https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AWSLambdaVPCAccessExecutionRole.html

I think A.