Answer-first summary for fast verification
Answer: Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Ensure that private DNS is turned on for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.
The question revolves around centralizing access to Amazon S3 and AWS Systems Manager for hundreds of VPCs, aiming to eliminate the use of public endpoints and reduce operational overhead. Option A suggests using private NAT gateways in a central egress VPC, which does not eliminate the need for public endpoints since NAT gateways still route traffic through public IPs. Option B involves creating interface VPC endpoints in a central shared services VPC and using Route 53 forwarding rules, which adds complexity and does not fully leverage AWS's native DNS capabilities for VPC endpoints. Option C proposes a solution that uses interface VPC endpoints and Route 53 private hosted zones, which is a more streamlined approach but still involves manual DNS configuration. Option D, however, simplifies the process by enabling private DNS for the interface VPC endpoints and ensuring DNS support is turned on for the Transit Gateway. This approach leverages AWS's native capabilities to automatically resolve the DNS names of the services to their private IPs within the VPCs, thus meeting the requirements with the least operational overhead.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company operates hundreds of VPCs on AWS, all of which access Amazon S3 and AWS Systems Manager public endpoints via NAT gateways. The network engineer needs to centralize access to these services and remove the dependency on public endpoints. Which solution meets these requirements with minimal operational overhead?
A
Create a central egress VPC that has private NAT gateways. Connect all the VPCs to the central egress VPC by using AWS Transit Gateway. Use the private NAT gateways to connect to Amazon S3 and Systems Manager by using private IP addresses.
B
Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS is turned off. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Create an Amazon Route 53 forwarding rule for each interface VPC endpoint. Associate the forwarding rules with all the VPCs. Forward DNS queries to the interface VPC endpoints in the shared services VPC.
C
Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS is turned off. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manager. Associate the private hosted zones with all the VPCs. Create an alias record in each private hosted zone with the full AWS service endpoint pointing to the interface VPC endpoint in the shared services VPC.
D
Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Ensure that private DNS is turned on for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.