Answer-first summary for fast verification
Answer: Create an Application Load Balancer (ALB) in a VPC in the shared services account. Configure the integration to the API Gateway API by using a VPC link. Associate the VPC link with the ALB. Create a VPC endpoint service in each microservice account. Create an AWS PrivateLink endpoint for those services in the shared services account. Add the elastic network interface IP addresses of the VPC endpoint as targets for the target group of the ALB.
The most secure solution that meets the requirements is option A. This option ensures that access to the microservices occurs only over a private network by using AWS PrivateLink, which provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. By creating a VPC endpoint service in each microservice account and an AWS PrivateLink endpoint in the shared services account, the company can control which entities from its internal network can connect to the microservices. Additionally, using an Application Load Balancer (ALB) in the shared services account and configuring the integration to the API Gateway API by using a VPC link, allows for secure and scalable access to the microservices. This setup also supports future scalability as new microservices can be integrated by following the same pattern. Options B, C, and D do not fully meet the security requirements as they either expose the microservices to the internet or do not provide a mechanism to control access from the internal network as securely as AWS PrivateLink does.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is developing an API-based application on AWS using a microservices architecture within a multi-account environment, where each microservice development team has a dedicated AWS account. Each team deploys its microservice in a separate VPC with Amazon EC2 instances behind a Network Load Balancer (NLB). A network engineer must configure Amazon API Gateway in a shared services account to create an HTTP API for exposing these microservices to external applications. The solution must ensure that access to the microservices is restricted to a private network and allow the company to control which internal network entities can connect to the microservices. Additionally, the solution must support future integration of new microservices. What is the MOST secure solution that meets these requirements?
A
Create an Application Load Balancer (ALB) in a VPC in the shared services account. Configure the integration to the API Gateway API by using a VPC link. Associate the VPC link with the ALB. Create a VPC endpoint service in each microservice account. Create an AWS PrivateLink endpoint for those services in the shared services account. Add the elastic network interface IP addresses of the VPC endpoint as targets for the target group of the ALB.
B
Create an Application Load Balancer (ALB) in a VPC in the shared services account. Configure the integration to the API Gateway API by using a VPC link. Associate the VPC link with the ALConnect all the VPCs to each other by using a central transit gateway. Add the IP addresses of the NLB as IP-based targets in the ALB target group.
C
Configure the integration to the API Gateway API by using HTTP-based integration. Connect all the VPCs to each other by using a central transit gateway. Create a separate HTTP integration to each NLB for each microservice. Add the HTTP endpoint of the NLB as the endpoint URL in the HTTP integration.
D
Configure the integration to the API Gateway API by using VPC link integration. Connect all the VPCs to each other by using a central transit gateway. Create a separate VPC link to each NLB for each microservice. Add the HTTP endpoint of the NLB as the endpoint URL in the VPC link integration.