exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 873 discussion

A company has two VPCs: VPC A and VPC B. The company uses a solution in VPC A in the ca-central-1 Region to expose services that are deployed on Amazon
EC2 instances. The services read objects that are stored in an Amazon S3 bucket in ca-central-1. The S3 bucket must not be publicly accessible, and the EC2 instances must use a gateway VPC endpoint. A rule in the S3 bucket policy allows only traffic that comes from the VPC A endpoint.
The company recently created another application. The application is hosted on EC2 instances that are deployed in VPC B in the us-east-1 Region in the same
AWS account. The application needs to access objects that are stored in the S3 bucket in ca-central-1.
Which solution will meet these requirements?

  • A. Create a cross-Region VPC peering connection between the two VPCs. Add a route in the route table of VPC B to use the peering connection to access the S3 gateway VPC endpoint.
  • B. Create a gateway VPC endpoint in VPC B in us-east-1. Add a route in the route table of VPC B to use the S3 gateway VPC endpoint to access Amazon S3. Update the S3 bucket policy to accept connection from this gateway VPC endpoint.
  • C. Create a third VPC (VPC C) in ca-central-1. Create a cross-Region VPC peering connection between VPC C and VPC B in us-east-1. Use AWS PrivateLink with a Network Load Balancer (NLB) to expose the services in VPC A in ca-central-1. Use the interface VPC endpoint created with PrivateLink in VPC C to call the services.
  • D. Create a virtual private gateway, and attach it to VPC A in ca-central-1. Create an IPsec VPN connection between the EC2 instances in us-east-1 and the virtual private gateway. Grant the EC2 instances in us-east-1 direct access to the S3 bucket by adding a route to use the VPN connection to access Amazon S3.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
JohnPi
Highly Voted 2 years, 1 month ago
Selected Answer: C
C is the answer, you need an interface gateway. S3 access through gateway endpoints is supported only for resources in a specific VPC to which the endpoint is associated. S3 gateway endpoints do not currently support access from resources in a different Region, different VPC, or from an on-premises (non-AWS) environment. https://aws.amazon.com/blogs/architecture/choosing-your-vpc-endpoint-strategy-for-amazon-s3/
upvoted 10 times
timmysixstrings
1 year, 12 months ago
I think that your interpretation of this is wrong. Accessing the gateway endpoint in VPC B from VPC B is fine because its the same region and same VPC. In other words, the gateway endpoint and the resource using it need to be in the same VPC/region. This restriction doesn't apply to the bucket in S3 (the gateway endpoint can access a bucket in another region without issue) The answer is B
upvoted 1 times
...
Kakusaif
2 years, 1 month ago
agreed - Resources on the other side of a VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a S3 gateway endpoint to communicate with Amazon S3.
upvoted 2 times
...
...
rajvee
Highly Voted 2 years, 3 months ago
Selected Answer: A
I believe should be A, https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/
upvoted 8 times
Kakusaif
2 years, 1 month ago
question mentions S3 gateway endpoint - Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a S3 gateway endpoint to communicate with Amazon S3.
upvoted 2 times
...
nano2nd
2 years ago
For example, if you deploy an S3 VPC endpoint in the us-west-2 Region, then you can access S3 buckets in us-west-2 from that VPC endpoint.
upvoted 1 times
nano2nd
2 years ago
from that link: However, you can access these VPC endpoints from the same Region only. For example, if you deploy an S3 VPC endpoint in the us-west-2 Region, then you can access S3 buckets in us-west-2 from that VPC endpoint.
upvoted 1 times
...
...
...
devilman222
Most Recent 3 months, 2 weeks ago
Selected Answer: C
A - I would have to try it out. I don't think it would work. B - Its marked as the correct answer. I am not sure why, but the correct answer is almost always wrong. C- This seems crazy and over kill, but it should work.
upvoted 1 times
...
WhyIronMan
4 months, 3 weeks ago
Selected Answer: A
A) and here's the reasoning: * Cross-Region VPC Peering: This allows the instances in VPC B to communicate with resources in VPC A, which includes the gateway VPC endpoint for S3. * Using the Gateway VPC Endpoint: The S3 gateway endpoint in VPC A enables secure access to S3 without the need for public internet access, which aligns with the requirement that the S3 bucket should not be publicly accessible. * Bucket Policy: Since the bucket policy allows traffic only from the VPC A endpoint, the cross-region peering allows the EC2 instances in VPC B to utilize the endpoint from VPC A for accessing S3. * Other options either involve creating unnecessary resources (like an additional VPC or VPN connections) or do not align with the requirements of accessing the S3 bucket securely from a different region without making it public.
upvoted 1 times
WhyIronMan
4 months, 3 weeks ago
No, I am WRONG! it is not A: AWS Documentation says However, gateway endpoints do not allow access from on-premises networks, from peered VPCs in other AWS Regions, or through a transit gateway.
upvoted 1 times
...
...
MikelH93
1 year, 6 months ago
Selected Answer: A
https://repost.aws/knowledge-center/vpc-endpoints-cross-region-aws-services need peering and update route table with endpoint
upvoted 1 times
MikelH93
1 year, 6 months ago
I was wrong after re-reading the article, you need an endpoint interface to do cross region.
upvoted 1 times
MikelH93
1 year, 6 months ago
Answer C sry for multiples posts
upvoted 1 times
...
...
...
dev112233xx
1 year, 7 months ago
Selected Answer: A
A is easy
upvoted 1 times
vn_thanhtung
1 year, 3 months ago
Note: The following example uses Amazon S3 interface endpoints for cross-Region traffic because gateway endpoints don't support cross-Region access. Use the same setup for any VPC interface endpoint.
upvoted 1 times
...
...
hobokabobo
1 year, 8 months ago
Selected Answer: B
S3 is a global resource. So you can access an S3 Bucket from any regional access point. Gateway access Points on the other hand are regional. Ultimatelely it is routing S3 requests to the regional access point. Works. C is a little cumbersome for S3 access but - depending on how I choose to interpret the implementation details - might work. But: for one if I want an interface entpoint, I would simply create S3 endpoint and secondly the question explicitely states that an s3 gatway endpoint has to be used. C are interface endpoints to services and not gateway endpoints.
upvoted 2 times
...
Rakesh8585
1 year, 8 months ago
Selected Answer: B
It is B https://repost.aws/knowledge-center/connect-s3-vpc-endpoint
upvoted 2 times
...
[Removed]
1 year, 9 months ago
Must be c by process of elimination
upvoted 1 times
...
Heer
1 year, 10 months ago
Option B is the right answer It's important to note that cross-region VPC peering is supported between VPCs in different accounts and different regions but it is not currently supported between VPCs in different regions within the same account. Also, to use VPC endpoints to access S3 resources across regions, you will need to create a VPC endpoint for each S3 region that you want to access.
upvoted 2 times
...
evargasbrz
1 year, 11 months ago
Selected Answer: C
A-> Resources on the other side of a VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC can not use a S3 gateway endpoint to communicate with Amazon S3. B-> It's not possible. "A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets." https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html so I'll go with C
upvoted 2 times
...
mike9999
1 year, 11 months ago
Selected Answer: A
Its A because https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/
upvoted 1 times
...
janvandermerwer
2 years ago
Selected Answer: C
D seems overkill A doesn't seem like it's going to work B also won't work Answer must be C: Gateway VPC endpoint is VPC specific and allows access to resources in that region only. "A gateway endpoint is available only in the Region where you created it. Be sure to create your gateway endpoint in the same Region as your S3 buckets." "Endpoint connections cannot be extended out of a VPC. Resources on the other side of a VPN connection, VPC peering connection, transit gateway, or AWS Direct Connect connection in your VPC cannot use a gateway endpoint to communicate with Amazon S3." https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-s3.html
upvoted 1 times
...
Rocketeer
2 years, 1 month ago
A https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/
upvoted 1 times
...
AwsBRFan
2 years, 1 month ago
Selected Answer: A
https://aws.amazon.com/premiumsupport/knowledge-center/vpc-endpoints-cross-region-aws-services/
upvoted 1 times
...
joanneli77
2 years, 2 months ago
Answer is B IMHO - you can write to an S3 bucket from anywhere, and a Gateway Endpoint in VPC B is to the S3 service in that region. Yes there is more latency. As long as I can communicate to S3 service and have some sort of auth, I can write to a bucket anywhere.
upvoted 5 times
...
sb333
2 years, 2 months ago
Selected Answer: C
Neither A nor B are correct. This is because they both use S3 "gateway" endpoints. Gateway endpoints cannot be used outside of its own VPC, and they also cannot reference S3 buckets in another Region. Answer C is correct. For answer C, it has both relevant and non-relevant information in it. The relevant part for accessing the S3 bucket from both Regions is: "Create a third VPC (VPC C) in ca-central-1. Create a cross-Region VPC peering connection between VPC C and VPC B in us-east-1. Use the interface VPC endpoint created with PrivateLink in VPC C to call the services." An interface VPC endpoint is a newer offering (for S3 can be accessed across a cross-Region VPC peering connection. The rest of the answer isn't relevant as it speaks to what you can do for accessing the application. https://aws.amazon.com/blogs/aws/aws-privatelink-for-amazon-s3-now-available/
upvoted 5 times
AkaAka4
2 years ago
This comment really helped me understand. Thanks so much!
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago