Answer-first summary for fast verification
Answer: Configure a private NAT gateway in the subnets for each Availability Zone that the application runs in. Configure the application to target the NAT gateways instead of the data service directly. Update the data service's allow list to include the IP addresses of the NAT gateways.
The question revolves around ensuring that an application, which is being migrated to AWS and is set to scale automatically, can continue to access a third-party vendor's data service hosted at the company’s data center. The key challenge is to minimize the ongoing changes to the vendor's allow list, which currently uses a static ACL to allow specific client IP addresses. Among the options, configuring a private NAT gateway in the subnets for each Availability Zone (Option A) is the most efficient solution. This approach allows the application to target the NAT gateways instead of the data service directly. Since NAT gateways provide a static IP address for outbound traffic, updating the data service's allow list to include the IP addresses of the NAT gateways would require minimal ongoing changes, even as the application scales. This solution leverages AWS's managed NAT gateway service, which automatically scales and provides high availability, ensuring that the application's access to the data service remains uninterrupted without the need for frequent updates to the allow list.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is moving an application to the AWS Cloud and has established connectivity between AWS Direct Connect and its on-premises data center. The application operates on Amazon EC2 instances distributed across multiple Availability Zones within an Auto Scaling group. The application communicates via HTTPS with a third-party vendor’s data service hosted at the company’s data center, which uses a static ACL with explicit IP allow listing.
What network solution should a network engineer implement to ensure the migrated application can access the vendor’s data service as it scales, while minimizing ongoing changes to the vendor’s allow list?
A
Configure a private NAT gateway in the subnets for each Availability Zone that the application runs in. Configure the application to target the NAT gateways instead of the data service directly. Update the data service's allow list to include the IP addresses of the NAT gateways.
B
Configure an elastic network interface in the subnets for each Availability Zone that the application runs in. Associate the elastic network interfaces with the Auto Scaling group for the application. Update the data service's allow list to include the IP addresses of the elastic network interfaces.
C
Configure an elastic network interface in the subnets for each Availability Zone that the application runs in. Launch an EC2 instance into each subnet. Attach the respective elastic network interfaces to the new EC2 instances. In the application subnet route tables, configure the new EC2 instances as the next destination for the data service. Update the data service’s allow list to include the IP addresses of the elastic network interfaces.
D
Configure an Application Load Balancer (ALB) in the subnets for each Availability Zone that the application runs in. Configure an ALB-associated target group that contains a target that uses the IP address for the data service. Configure the application to target the ALB instead of the data service directly. Update the data service's allow list to include the IP addresses of the ALBs.