ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C03 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C03 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 184 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C03
Question #: 184
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C03 Questions]

A company has an AWS account used for software engineering. The AWS account has access to the company’s on-premises data center through a pair of AWS Direct Connect connections. All non-VPC traffic routes to the virtual private gateway.

A development team recently created an AWS Lambda function through the console. The development team needs to allow the function to access a database that runs in a private subnet in the company’s data center.

Which solution will meet these requirements?

  • A. Configure the Lambda function to run in the VPC with the appropriate security group.
  • B. Set up a VPN connection from AWS to the data center. Route the traffic from the Lambda function through the VPN.
  • C. Update the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect.
  • D. Create an Elastic IP address. Configure the Lambda function to send traffic through the Elastic IP address without an elastic network interface.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by sdasdawa at Nov. 15, 2022, 4:41 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Gil80
Highly Voted 2 years, 4 months ago
Selected Answer: A
To configure a VPC for an existing function: 1. Open the Functions page of the Lambda console. 2. Choose a function. 3. Choose Configuration and then choose VPC. 4. Under VPC, choose Edit. 5. Choose a VPC, subnets, and security groups. <-- **That's why I believe the answer is A**. Note: If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address.
upvoted 24 times
markw92
1 year, 10 months ago
The question says on-prem database...how do we create a SG for that instance in AWS? C make sense. my 2 cents..
upvoted 7 times
SSadiq
10 months, 1 week ago
SG is for Lambda and not for the on-prem database. A is the correct option
upvoted 2 times
...
AZ_Master
1 year, 4 months ago
A is correct. To configure SG for Lambda , go to Lambda function -> Configure -> Edit VPC and scroll down to see "security groups" where you can configure Lambda for VPC. Also see here https://repost.aws/questions/QUSaj1a6jBQ92Kp56klbZFNw/aws-lambda-to-on-premise-via-direct-connect-and-aws-privatelink
upvoted 2 times
...
...
...
javitech83
Highly Voted 2 years, 4 months ago
Selected Answer: A
it is A. C is not correct at all as in the question it metions that the VPC already has connectivity with on-premises
upvoted 11 times
LuckyAro
2 years, 3 months ago
C says to "update the route table" not create a new connection. C is correct.
upvoted 5 times
ruqui
1 year, 10 months ago
C is wrong. Lambda can't connect by default to resources in a private VPC, so you have to do some specific setup steps to run in a private VPC, Answer A is correct
upvoted 3 times
...
Adios_Amigo
1 year, 12 months ago
No need to do route updates. This is because the route to the destination on-premises is already set.
upvoted 4 times
jerryl
3 weeks, 3 days ago
the question didnt mention where the direct connect is set up but mention that all non vpc traffic are private so i think it makes sense you need to config route table and i think in C, update the vpc already imply that the lambda is going to be run in that vpc
upvoted 1 times
...
...
...
...
ChhatwaniB
Most Recent 3 weeks, 2 days ago
Selected Answer: C
Same queston in exam topic #524 and highly voted answer is C there Since database on company's data center can not have security group. my vote goes to C
upvoted 1 times
...
Dharmarajan
2 months, 1 week ago
Selected Answer: A
The language is confusing, but the option A essentially says that "Configure the Lambda to execute in your own VPC (instead of AWS's own Lambda VPC) and since your VPC already is configured with the route to On prem data center, it will be able to access the on prem data center resources.
upvoted 1 times
...
FlyingHawk
2 months, 1 week ago
Selected Answer: A
By default, Lambda functions operate outside the customer’s VPC. To access on-premises resources via Direct Connect, the Lambda function must be deployed inside the VPC. Once attached to the VPC, Lambda can use the VPC’s networking setup (route tables, security groups, and the virtual private gateway) to communicate with the on-premises database over Direct Connect.
upvoted 2 times
...
ensbrvsnss
7 months, 3 weeks ago
Selected Answer: C
either A or C
upvoted 1 times
...
jatric
9 months, 2 weeks ago
Selected Answer: C
C is correect as lambda already in VPC and AWS account already has connection setup with on-premise database in private subnet
upvoted 2 times
...
lofzee
10 months, 3 weeks ago
Selected Answer: A
B,C,D dont have any logic behind them. A is the most logical answer as you need to connect a function to a VPC. The VPC will be connected to the on-prem database.
upvoted 2 times
...
MehulKapadia
1 year ago
Selected Answer: A
Answer A: During Lambda function creation select "Advanced Settings" select "Enable VPC", this will allow you to select VPC, Subnets and SecurityGroup for your Lambda function. This is the way Lambda can get controlled access to resouces in your VPC. Default Lambda Settings: When you create a Lambda function without specifying a VPC, the Lambda function does not get associated with any particular VPC. By default, Lambda functions are not deployed within a VPC and do not have access to resources within a VPC, such as EC2 instances, RDS databases, or Elasticache clusters, unless you explicitly configure the Lambda function to connect to a VPC.
upvoted 5 times
...
Uzbekistan
1 year ago
Selected Answer: C
Update the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect. By updating the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect, is the most appropriate solution. By updating the route tables, you can specify the route for traffic from the Lambda function to the IP address range of the on-premises data center via the Direct Connect connection. This ensures that the Lambda function can securely communicate with the database in the private subnet of the data center.
upvoted 2 times
...
awsgeek75
1 year, 3 months ago
Every time I read this question the badly phrased options make no sense at all. I now want to vote for A but it makes no sense. Question says: All non-VPC traffic routes to the virtual private gateway So Lambda is technically a non VPC traffic too. This means it already goes through the VPGW but we don't know what it connects. Assuming it connect the data-centre to AWS then A makes sense. BUT all this is based on different interpretation now for me.
upvoted 9 times
...
pentium75
1 year, 3 months ago
Selected Answer: A
The wording is strange because technically, the Lambda function does not "run in the VPC", rather it is connected to the VPC, but otherwise A is what relevant documentation says - connect the Lambda function to the VPN and allow traffic in the security group. Not B, we have Direct Connect, no need for VPN. Not C, route is already in place. And route alone does not help - the "route tables in the VPC" are completely irrelevant as long as we don't connect the Lambda function to the VPC. Not D, an "Elastic IP address" is always connected to an "elastic network interface", such is created automatically with A.
upvoted 7 times
Kanagarajd
1 year, 1 month ago
I agree with explanation!
upvoted 3 times
...
...
awsgeek75
1 year, 3 months ago
Selected Answer: C
The question and options are very badly worded so it makes C a possible candidate (unconvincingly though!). B: VPN is not needed as Direct Connect is already there D: Irrelevant A is too generic (appropriate security group for what?) Lambda has fixed VPC or ENI C is logically relevant
upvoted 1 times
...
pentium75
1 year, 3 months ago
A says "configure the Lambda function to RUN IN the VPC", but "a Lambda function ALWAYS runs inside a VPC owned by the Lambda service" (https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html). "You can configure a Lambda function to CONNECT TO private subnets in a virtual private cloud (VPC) in your AWS account", but "connect to" is not the same as "run in" (https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html). Otherwise A would make sense (you CAN assign a security group to the Elastic Network Interface that Lambda uses to connect to your VPC).
upvoted 2 times
pentium75
1 year, 3 months ago
B We already have Direct Connect, so why set up VPN C doesn't make sense because "all non-VPC traffic [already] routes to the virtual private gateway" (which is obviously connected to the Direct Connect gateway), so why should you "update the route tables"? D sounds plausible; however, an Elastic IP address is associated with an Elastic Network Interface (though that is automatically provided by AWS). So the "without an elastic network interface" makes D wrong. My best guess is that there's a typo or misunderstanding in the answers. It's either A but it should read "connect to the VPC" instead of "run in the VPC", or it's D but it should read "without CREATING an elastic network interface" or "WITH an elastic network interface".
upvoted 2 times
...
...
xdkonorek2
1 year, 5 months ago
Selected Answer: C
it's not A: A Lambda function always runs inside a VPC owned by the Lambda service. https://docs.aws.amazon.com/lambda/latest/dg/foundation-networking.html
upvoted 2 times
...
liux99
1 year, 5 months ago
The answer is C. The question is to allow lambda to access the database running in private subnet in the corporate data center. The only connectivity with the data center is Direct connect.
upvoted 2 times
...
Igogor
1 year, 6 months ago
Answer C is correct: https://repost.aws/questions/QUSaj1a6jBQ92Kp56klbZFNw/aws-lambda-to-on-premise-via-direct-connect-and-aws-privatelink
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago