Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 56 discussion

The correct solution to meet these requirements is option C. To design the API Gateway URL with the company's domain name and corresponding certificate, the company needs to do the following: 1. Create a Regional API Gateway endpoint: This will allow the company to create an endpoint that is specific to a region. 2. Associate the API Gateway endpoint with the company's domain name: This will allow the company to use its own domain name for the API Gateway URL. 3. Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the same Region: This will allow the company to use HTTPS for secure communication with its APIs. 4. Attach the certificate to the API Gateway endpoint: This will allow the company to use the certificate for securing the API Gateway URL. 5. Configure Route 53 to route traffic to the API Gateway endpoint: This will allow the company to use Route 53 to route traffic to the API Gateway URL using the company's domain name.

I think the answer is C. we don't need to attach a certificate in us-east-1, if is not for cloudfront. In our case the target is ca-central-1.

I selected B intially as I mixed API Gateway with CloudFront, for CloudFront, it is a global service, the cert needs to be in us-east-1 region as CF's control plane is in us-east-1 region, but for regional API Gateway, ELB, they should be in the same region as the service. https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html

Ans C - as per Buruguduystunstugudunstuy (1 year, 8 months ago) for the reasons therein... Not sure what Ans D is addressing...

Option C has all the steps to meet the requirenment and attach certificate in the same region

C for sure

BD are wrong because they are in wrong regions. A. Does not help with R53 routing to API Gateway and not sure what it's trying to do here C is correct

Important For an API Gateway Regional custom domain name, you must request or import the certificate in the same Region as your API.

All certificates in ACM are regional resources, including the certificates that you import. To use the same certificate with Elastic Load Balancing load balancers in different AWS Regions, you must import the certificate into each Region where you want to use it. To use a certificate with Amazon CloudFront, you must import it into the US East (N. Virginia) Region. https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html

Only if the API Gateway is global then the corresponding AWS ACM Certificate must be placed in us-east-1

Correct answer

A records support Elasticity and load balancing and by default resilience is Key in any configuration in AWS

now I am confused, I would have chosen C, but with a Closer look D might be right, because of the A records and again the region used and not stated can be for resilience. I think? can someone clarify

Explain why this saying a different region which not mentioned in the Q.

c is right The other options have various issues: Option A: Using stage variables and importing certificates into ACM is not sufficient for achieving the requirement of associating a custom domain and certificate with the API Gateway endpoint. Option B: While it mentions importing the certificate into ACM, it doesn't address the need for a Regional API Gateway or the appropriate region for the certificate. Option D: Using certificates from the us-east-1 region for a Regional API Gateway might cause issues. Additionally, it doesn't provide clear details on how to associate the domain name and certificate with the API Gateway endpoint.

C is the correct solution. To use a custom domain name with HTTPS for API Gateway: The API Gateway endpoint needs to be Regional, not private or edge-optimized. The ACM certificate must be requested in the same region as the API Gateway endpoint. The custom domain name is then mapped to the Regional API endpoint under API Gateway domain names. Route 53 is configured to route traffic to the API Gateway regional domain. The ACM certificate is attached to the API Gateway domain name to enable HTTP

Import the public certificate associated with the company's domain name into AWS Certificate Manager (ACM) in the same Region.