Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 811 discussion

I think is b. Private endpoint sounds like private vpc endpoint, that is equals to privatelink

B is correct

should be C: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-nac.html Amazon Managed Grafana workspace not created in VPC.....

With all due respect, once again options are poorly written: you don't create an Amazon Managed Grafana workspace IN or WITHOUT a VPC. Instead, you create an AMG WITH or WITHOUT a VPC CONNECTION: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-create-workspace.html (Step 8, Optional): You can choose to connect to an Amazon virtual private cloud (VPC) on this page, or you can connect to a VPC later. To learn more, see Connect to data sources or notification channels in Amazon VPC from Amazon Managed Grafana. According to the "to learn more" link, if you create the AMG WITHOUT a VPC CONNECTION: By default, traffic from your Amazon Managed Grafana workspace to data sources or notification channels flows via the public Internet. This limits the connectivity from your Amazon Managed Grafana workspace to services that are publicly accessible. So option "C" must be discarded as it doesn't comply company requirements of avoid using internet

A & D are out, because they're using public endpoints, which causes exposure over the Internet. Why C is wrong: If the Grafana workspace is not in a VPC, it cannot use PrivateLink endpoints. PrivateLink endpoints must reside within a VPC. If Grafana is outside the VPC, PrivateLink cannot establish the required secure, private connection.

https://docs.aws.amazon.com/grafana/latest/userguide/VPC-endpoints.html , https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-managed-grafana-connection-data-sources-hosted-virtual-private-cloud/

Choice B or C could be resolved in this way: B. Create an Amazon Managed Grafana workspace in a VPC C. Create an Amazon Managed Grafana workspace without a VPC As far as I know we cannot create workspace without VCP

After searching effort, I agree C is correct because AMG workspace can't include in VPC. When you have not configured a private VPC, and Amazon Managed Grafana is connecting to publicly accessible data sources, it connects to some AWS services in the same region via AWS PrivateLink. This includes services such as CloudWatch, Amazon Managed Service for Prometheus and AWS X-Ray. Traffic to those services does not flow via the public Internet.

(B or C)?-1 = Do we create AMG workspace in a VPC OR do we create AMG workspace without a VPC? AMG is NOT created within a VPC; AMG connects to a VPC. "Currently, you can connect one Amazon Managed Grafana workspace to one VPC endpoint in the same region and same account. However, you can use Virtual Private Cloud peering or AWS Transit Gateway to connect the cross-region or cross-account VPCs, then connect the select the VPC endpoint that’s in the same account and same region as your Amazon Managed Grafana workspace." -FAQs (C) is correct.

Its B. C is also a valid choice "Not exposing to the internet" is letting me eliminate C

B as you need to create Managed Grafana workspace with a VPC for private access https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-nac.html

https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-managed-grafana-connection-data-sources-hosted-virtual-private-cloud/

I guess they mean C, But again, it's strange... IMO B would also work... There is no requirement for the least effort... Pls, correct me if I'm wrong...

Once you configure direct connectivity between a Grafana workspace and a VPC, Amazon Managed Grafana creates and manages an elastic network interface (ENI) per subnet to connect to the VPC. This enables the Grafana workspace to connect to data sources within the VPC, such as OpenSearch domains or RDS databases. Additionally, all traffic is now routed through the configured VPC, including alert destination and data source connectivity.

AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Interface VPC endpoints, powered by PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace.

cccc ccc