Answer-first summary for fast verification
Answer: Verify that the security groups attached to the EC2 instances allow outgoing traffic only to the IP addresses that the hostname resolves to, the VPC CIDR block, and the AWS IP address ranges for Amazon S3 and DynamoDB., Verify that the gateway VPC endpoints for Amazon S3 and DynamoDB are both set up and associated with the route tables of the private subnets.
The question revolves around reducing costs associated with NAT gateway usage in a VPC. The key to resolving the issue lies in minimizing the data processed by the NAT gateway, which can be achieved by ensuring that traffic to AWS services like Amazon S3 and DynamoDB does not go through the NAT gateway. This can be done by setting up gateway VPC endpoints for these services, which allow direct access from the VPC without traversing the internet, thus not incurring NAT gateway charges. Additionally, verifying that security groups are correctly configured to restrict outgoing traffic to only necessary destinations can prevent unnecessary data transfer through the NAT gateway. Options B and E directly address these solutions. B suggests examining VPC flow logs to understand the traffic patterns through the NAT gateway, which is a good practice but not a direct solution to reduce costs. E, however, directly suggests setting up gateway VPC endpoints for Amazon S3 and DynamoDB, which would reduce NAT gateway usage and thus costs. D is also a good practice for security and cost management but does not directly address the NAT gateway cost issue as effectively as E. Therefore, the most effective solutions to the problem are provided in options D and E.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is migrating a legacy data processing solution to AWS, deploying it on Amazon EC2 instances within private subnets of a single VPC. The solution utilizes Amazon S3 for object storage, storing both input and output data, and Amazon DynamoDB for maintaining its state. VPC flow logs are collected, and a single NAT gateway is used to enable license registration over the internet via a specific hostname provided by the software vendor. The company observes that the AWS bill surpasses the projected budget, and a network engineer identifies the USE2-NatGateway-Bytes($) usage type as the primary cause of the unexpected cost increase using AWS Cost Explorer. What actions should the network engineer take to address this issue? (Choose two.)
A
Set up Amazon VPC Traffic Mirroring. Analyze the traffic to identify the traffic that the NAT gateway processes.
B
Examine the VPC flow logs to identity the traffic that traverses the NAT gateway.
C
Set up an AWS Cost and Usage Report in the AWS Billing and Cost Management console. Examine the report to find more details about the NAT gateway charges.
D
Verify that the security groups attached to the EC2 instances allow outgoing traffic only to the IP addresses that the hostname resolves to, the VPC CIDR block, and the AWS IP address ranges for Amazon S3 and DynamoDB.
E
Verify that the gateway VPC endpoints for Amazon S3 and DynamoDB are both set up and associated with the route tables of the private subnets.