A global company is designing a hybrid architecture to privately access AWS resources in the us-west-2 Region. Their existing setup includes a VPC with RFC 1918 IP address space, connected to an on-premises data center via AWS Direct Connect. Amazon Route 53 handles name resolution within the VPC, while on-premises DNS services are managed by local DNS servers in the data center. Applications in the data center require access to download objects from an Amazon S3 bucket in us-west-2.

What solution can the company implement to access Amazon S3 without utilizing public IP address space?

Exam-Like

Explanation:

To access Amazon S3 without using the public IP address space in a hybrid architecture, the company can use an S3 interface endpoint or an S3 gateway endpoint within the VPC. However, the key difference between these options lies in how DNS resolution is handled for on-premises applications. Option A suggests creating an S3 interface endpoint and updating the on-premises application configuration to use the Regional VPC endpoint DNS hostname. This approach directly leverages the private connectivity provided by the interface endpoint without requiring additional DNS forwarding configurations. Option B, while also suggesting the creation of an S3 interface endpoint, complicates the solution by introducing a Route 53 Resolver inbound endpoint and DNS forwarding, which is not necessary for this scenario. Option C and D suggest using an S3 gateway endpoint, which is not suitable for this scenario because gateway endpoints do not support access from on-premises networks over AWS Direct Connect or VPN. Therefore, the most straightforward and correct solution is provided by option A.

Powered ByGPT-5

AWS Certified Advanced Networking - Specialty

Get started today