exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 591 discussion

A web application is hosted in a dedicated VPC that is connected to a company's on-premises data center over a Site-to-Site VPN connection. The application is accessible from the company network only. This is a temporary non-production application that is used during business hours. The workload is generally low with occasional surges.
The application has an Amazon Aurora MySQL provisioned database cluster on the backend. The VPC has an internet gateway and a NAT gateways attached.
The web servers are in private subnets in an Auto Scaling group behind an Elastic Load Balancer. The web servers also upload data to an Amazon S3 bucket through the internet.
A solutions architect needs to reduce operational costs and simplify the architecture.
Which strategy should the solutions architect use?

  • A. Review the Auto Scaling group settings and ensure the scheduled actions are specified to operate the Amazon EC2 instances during business hours only. Use 3-year scheduled Reserved Instances for the web server EC2 instances. Detach the internet gateway and remove the NAT gateways from the VPC. Use an Aurora Serverless database and set up a VPC endpoint for the S3 bucket.
  • B. Review the Auto Scaling group settings and ensure the scheduled actions are specified to operate the Amazon EC2 instances during business hours only. Detach the internet gateway and remove the NAT gateways from the VPC. Use an Aurora Serverless database and set up a VPC endpoint for the S3 bucket, then update the network routing and security rules and policies related to the changes.
  • C. Review the Auto Scaling group settings and ensure the scheduled actions are specified to operate the Amazon EC2 instances during business hours only. Detach the internet gateway from the VPC, and use an Aurora Serverless database. Set up a VPC endpoint for the S3 bucket, then update the network routing and security rules and policies related to the changes.
  • D. Use 3-year scheduled Reserved Instances for the web server Amazon EC2 instances. Remove the NAT gateways from the VPC, and set up a VPC endpoint for the S3 bucket. Use Amazon CloudWatch and AWS Lambda to stop and start the Aurora DB cluster so it operates during business hours only. Update the network routing and security rules and policies related to the changes.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Nemer
Highly Voted 3 years, 2 months ago
B. We are charged for each “NAT Gateway-hour" even without data going through it. https://aws.amazon.com/vpc/pricing/
upvoted 19 times
oscargee
3 years, 1 month ago
How would you handle The web servers also upload data to an Amazon S3 bucket through the internet? NAT has to been keep.
upvoted 1 times
Viper57
3 years, 1 month ago
Using an S3 VPC endpoint that goes over the AWS backend solves this problem.
upvoted 5 times
mnsait
2 days, 2 hours ago
Without NAT, how will the web servers in private subnets receive patching? The only option not removing NAT is C. Plus it addresses all the requirements mentioned in the question. My answer is C.
upvoted 1 times
mnsait
2 days, 2 hours ago
Just realized that this is a temporary solution. In the short term, one can live without patching. More importantly, the question asks to reduce operational cost and simplify the architecture. Hence I change my answer to B.
upvoted 1 times
...
...
...
...
...
amaltare
Highly Voted 3 years, 2 months ago
Guys.. has anyone notice that a site-to-site VPN is in place and for this to work, an internet gateway is required. but ABC all the three options are saying to remove internet gateway, I dont think it will work then.. I will go with D
upvoted 12 times
MichaelR
3 years, 2 months ago
Just fount this from AWS S2S docs: "An Internet gateway is not required to establish a Site-to-Site VPN connection."
upvoted 2 times
beso
3 years, 2 months ago
a site-to-site VPN creates an IPSEC tunnel from an EC2 instance to a device of your choice on-prem. The IGW is required for that tunnel to have a route out of the VPC
upvoted 1 times
...
...
cloudgc
3 years, 2 months ago
B - https://aws.amazon.com/vpn/faqs/#:~:text=Amazon%20supports%20Internet%20Protocol%20security,-to-Site%20VPN%20connection.
upvoted 3 times
...
Mansur
3 years, 1 month ago
An Internet gateway is not required to establish a Site-to-Site VPN connection. Ref: https://aws.amazon.com/vpn/faqs/#:~:text=Amazon%20supports%20Internet%20Protocol%20security,-to-Site%20VPN%20connection.
upvoted 4 times
...
Sunflyhome
3 years, 1 month ago
To build site-to-site vpn, you don't need internet gateway. Instead, customer gateway is needed. https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-cgw
upvoted 10 times
...
...
evargasbrz
Most Recent 1 year, 11 months ago
Selected Answer: B
B-> looks good C-> It makes no sense to be charged per NAT Gateway-hour
upvoted 1 times
...
Heer
2 years, 1 month ago
The right answer between B and C is B .The ques says we do have IGW and NAT and Option C is removing IGW only .NAT cannot operate without IGW and that is why option C doesn't makes sense.
upvoted 1 times
...
AwsBRFan
2 years, 2 months ago
Selected Answer: B
VPN requires Virtual Private Gateway
upvoted 1 times
...
kangtamo
2 years, 5 months ago
Selected Answer: B
Go with B.
upvoted 1 times
...
AzureDP900
3 years ago
B is right
upvoted 2 times
...
vbal
3 years ago
A is wrong becoz SRI can't have 3-year reservation.
upvoted 1 times
...
Pb55
3 years, 1 month ago
S3 VPC endpoint means no need for IGW or NAT. So B.
upvoted 3 times
...
oscargee
3 years, 1 month ago
C! B and C are almost same. But you need NAT to allow web servers in VPC private sub net to upload data to an Amazon S3 bucket through the internet.
upvoted 1 times
jobe42
3 years, 1 month ago
B... "and set up a VPC endpoint for the S3 bucket"
upvoted 1 times
...
...
blackgamer
3 years, 1 month ago
Going with B.
upvoted 1 times
...
Waiweng
3 years, 1 month ago
it's B
upvoted 3 times
...
Pupu86
3 years, 1 month ago
https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html This link shows you how to create a site-to-site VPN connection to your AWS VPCs. No internet gateway or NAT gateway is required
upvoted 1 times
...
Kian1
3 years, 1 month ago
going with B
upvoted 2 times
...
Ebi
3 years, 1 month ago
Answer is B
upvoted 4 times
...
kopper2019
3 years, 1 month ago
B what would you need a Internet GW and NAT GW when all is private using a VPN and RI is not needed since is temporary so buying RIs for 3 years would mean losing money
upvoted 1 times
...
Bulti
3 years, 1 month ago
B is the right answer. A and D are out because scheduled reserved instances are not required as it is a temporary application. C is identical to B but it keeps the NAT Gateway which has extra unnecessary cost when we are using VPC endpoint to talk to S3.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago