ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 471 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 471
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company uses AWS Organizations. The company runs two firewall appliances in a centralized networking account. Each firewall appliance runs on a manually configured highly available Amazon EC2 instance. A transit gateway connects the VPC from the centralized networking account to VPCs of member accounts. Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet.

During a recent incident, a badly configured script initiated the termination of both firewall appliances. During the rebuild of the firewall appliances, the company wrote a new script to configure the firewall appliances at startup.

The company wants to modernize the deployment of the firewall appliances. The firewall appliances need the ability to scale horizontally to handle increased traffic when the network expands. The company must continue to use the firewall appliances to comply with company policy. The provider of the firewall appliances has confirmed that the latest version of the firewall code will work with all AWS services.

Which combination of steps should the solutions architect recommend to meet these requirements MOST cost-effectively? (Choose three.)

  • A. Deploy a Gateway Load Balancer in the centralized networking account. Set up an endpoint service that uses AWS PrivateLink.
  • B. Deploy a Network Load Balancer in the centralized networking account. Set up an endpoint service that uses AWS PrivateLink.
  • C. Create an Auto Scaling group and a launch template that uses the new script as user data to configure the firewall appliances. Create a target group that uses the instance target type.
  • D. Create an Auto Scaling group. Configure an AWS Launch Wizard deployment that uses the new script as user data to configure the firewall appliances. Create a target group that uses the IP target type.
  • E. Create VPC endpoints in each member account. Update the route tables to point to the VPC endpoints.
  • F. Create VPC endpoints in the centralized networking account. Update the route tables in each member account to point to the VPC endpoints.
Show Suggested Answer Hide Answer
Suggested Answer: ACF 🗳️
by CMMC at March 19, 2024, 4:08 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
yog927
Highly Voted 1 year ago
Selected Answer: ACF
Refer this https://aws.amazon.com/blogs/networking-and-content-delivery/centralized-inspection-architecture-with-aws-gateway-load-balancer-and-aws-transit-gateway/ The endpoint is created in the centralized account only.
upvoted 13 times
titi_r
1 year ago
No doubt that “A” and “C” are correct. E – it’s a valid config, but it’s against any logic – having a TGW and at the same time paying for GWLBEs in each member account’s VPC. F – The answer says “Update the route tables in each member account to point to the VPC endpoints.” – this is NOT possible. The route tables of the member/spoke accounts point to the TGW’s ENI (for 0.0.0.0/0) in their own VPC; they cannot point to the (GWLB) VPC endpoints in another VPC. Check the route table of Spoke1 VPC in below diagram – Destination: 0.0.0.0/0, Target: tgw-id (NOT vpce-az-a-id): https://d2908q01vomqb2.cloudfront.net/5b384ce32d8cdef02bc3a139d4cac0a22bb029e8/2022/04/14/GWLB_TGW_FIGURE2.jpg - P.S. Who wrote this question is an incompetent.
upvoted 9 times
altonh
2 months ago
I think the TGW is a distraction, so in E, you need to "Update the route tables to point to the VPC endpoints.".
upvoted 1 times
...
...
...
blackname
Highly Voted 11 months, 2 weeks ago
Selected Answer: ACF
A - Gateway Load Balancer is LB type used to redirect traffic to traffic inspection devices like firewalls, this is done via GENEVE network protocol. (correct) B - NLB could not be used, NLB does not support GENEVE protocol. (incorrect) C - ASG is the way to go for this scenario, in addition could be add Autoscaling policies to add more instances during traffic spikes and reduce when no traffic spikes (correct) D - Launch wizard work directly with resource EC2 and EBS, I didn't see any integration with ASG (incorrect) E - Works but it's not cost effective, VPCE have a price of 0.01$/hour/az each, so if you have GWLB in multi-az you would pay (1VPCE * number of AZs * number of member account) (incorrect - not cost effective) F - Since transit gateway is used, all traffic could be routed to the centralized networking account, and in there 0.0.0.0/0 traffic would go to the GWLB endpoints, so instead of multiple vpc endpoints you would only have 1VPCE * number of AZs (correct)
upvoted 7 times
...
zhen234
Most Recent 2 months, 4 weeks ago
Selected Answer: ACE
VPC endpoints need to be created in member accounts, not the centralized account.
upvoted 1 times
...
TomTom
5 months, 1 week ago
Selected Answer: ACE
ACE Can meet the requirement with most cost-effective
upvoted 1 times
TomTom
4 months, 2 weeks ago
Typo, it should be ACF.
upvoted 1 times
...
...
0b43291
5 months, 1 week ago
Selected Answer: ACF
Gateway Load Balancer (Step A): The Gateway Load Balancer (GWLB) is designed specifically for centralized inspection architectures, where traffic needs to be inspected or processed by third-party virtual appliances, such as the firewall appliances in this scenario. GWLB provides a cost-effective and scalable solution for distributing traffic across the firewall appliances. Auto Scaling Group and Launch Template (Step C): As mentioned in my previous response, creating an Auto Scaling group and a launch template that uses the new script as user data allows for automated and consistent deployment of the firewall appliances, as well as horizontal scaling to handle increased traffic. VPC Endpoints in the Centralized Networking Account (Step F): Creating VPC endpoints in the centralized networking account and updating the route tables in each member account to point to these VPC endpoints enables secure and private communication between the member accounts and the firewall appliances, without the need for an internet gateway or NAT gateway.
upvoted 1 times
...
milesToGo
5 months, 1 week ago
Guys, The answer is ACE. AWS PrivateLink — A technology that provides private connectivity between VPCs and services. VPC endpoint — The entry point in your VPC that enables you to connect privately to a service. So Got to choose E - Create VPC endpoints in each member account. Update the route tables to point to the VPC endpoints. Check ChatGPT, Check Google Gemini (Do you create a VPC endpoint in centralized account or each member account if Gateway Load Balancer in the centralized networking account is set up as endpoint service using AWS PrivateLink) Go to Concepts and read under service name https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html
upvoted 2 times
...
AzureDP900
5 months, 2 weeks ago
The correct answers are A, C, and E. Option A: Deploying a Gateway Load Balancer allows for efficient routing and scaling, while setting up an endpoint service using AWS PrivateLink enables secure and private connectivity between the load balancer and member accounts. Option C: Creating an Auto Scaling group with a launch template that uses the new script as user data ensures consistent configuration of firewall appliances. Additionally, creating a target group with the instance target type allows for efficient routing of traffic to the scaled instances. Option E: Creating VPC endpoints in each member account enables direct access to the centralized networking account's resources without the need for public IP addresses or NAT devices. This is particularly beneficial when deploying highly available and scalable firewall appliances.
upvoted 1 times
...
Danm86
6 months ago
Between E and F, I vote for option E, because already there is transit gateway for communication from centrailzed account to member accounts.
upvoted 1 times
...
kgpoj
7 months, 2 weeks ago
Selected Answer: ACE
A has VPC Endpoint Service in central VPC Then we should have VPC endpoints in member accounts
upvoted 1 times
...
testo001
8 months, 3 weeks ago
Selected Answer: ACE
Main discussion about E and F
upvoted 1 times
...
vip2
9 months, 1 week ago
Selected Answer: ACE
Main discussion about E and F it combine Member VPC, Centralize networking, Endpoint Service, VPC Endpoint Accoring to statement and answer A and C, that mean Transit-GW is in memeber VPC Firewall in Centralize VPC which alread has Endpoint Service in PrivateLink, So, MUST have VPC Endpoint in Memeber account, not Centralized Another important is 'Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet ', which prevent use one IP from transit-GW as endpoint.
upvoted 3 times
...
vip2
9 months, 3 weeks ago
Main discussion about E and F it combine Member VPC, Centralize networking, Endpoint Service, VPC Endpoint Accoring to statement and answer A and C, that mean Transit-GW is in memeber VPC Firewall in Centralize VPC which alread has Endpoint Service in PrivateLink, So, MUST have VPC Endpoint in Memeber account, not Centralized Another important is 'Each firewall appliance uses a static private IP address that is then used to route traffic from the member accounts to the internet ', which prevent use one IP from transit-GW as endpoint.
upvoted 1 times
...
grandcanyon
9 months, 4 weeks ago
Selected Answer: ACE
https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway-load-balancer.html
upvoted 5 times
...
trungtd
10 months, 3 weeks ago
Selected Answer: ACF
Having multiple VPC endpoints will make connection unscalable
upvoted 3 times
...
Zas1
11 months, 1 week ago
Selected Answer: ACE
F discard because update route. Explain "titi_r"
upvoted 3 times
...
2aa610e
11 months, 3 weeks ago
Selected Answer: ACE
gateway loadbalancer endpoint needs to be in the spoke VPC. https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-network-traffic-inspection-using-aws-gateway-load-balancer/
upvoted 3 times
...
7f6aef3
11 months, 3 weeks ago
Selected Answer: ACE
VPC endpoint service in central account VPC endpoint in memeber account F is wrong
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago