Answer-first summary for fast verification
Answer: Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to the route table for the private subnets.
## Explanation **Correct Answer: C** **Why Option C is correct:** 1. **VPC Endpoints for S3**: VPC endpoints (specifically Gateway VPC Endpoints for S3) allow EC2 instances to access S3 without traversing the public internet. The traffic stays within the AWS network. 2. **Private Subnets**: Moving EC2 instances to private subnets ensures they don't have direct internet access, which aligns with the requirement to avoid internet traffic. 3. **Route Table Configuration**: Linking the VPC endpoint to the route table for private subnets ensures that traffic destined for S3 is routed through the VPC endpoint instead of going through an internet gateway. **Why other options are incorrect:** **Option A**: NAT gateways are used to allow instances in private subnets to access the internet. However, traffic from a NAT gateway still goes through the internet gateway and traverses the public internet to reach S3, which doesn't meet the "private route" requirement. **Option B**: Security groups control traffic at the instance level but don't change the network routing. Restricting outbound traffic doesn't create a private route - the traffic would still go over the internet. **Option D**: While Direct Connect provides a private connection to AWS, removing the internet gateway and setting up Direct Connect is overly complex and expensive for this use case. VPC endpoints are a simpler, more cost-effective solution for accessing S3 privately. **Key AWS Concepts:** - **VPC Endpoints**: Enable private connectivity between your VPC and supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. - **Gateway VPC Endpoints for S3**: Specifically designed for S3, these are free endpoints that route traffic through AWS's private network. - **Private vs Public Subnets**: Instances in private subnets don't have public IP addresses and cannot be directly accessed from the internet, providing better security. This solution meets the requirement for private routing while maintaining simplicity and cost-effectiveness.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A medical records company is hosting an application on Amazon EC2 instances. The application processes customer data files that are stored on Amazon S3. The EC2 instances are hosted in public subnets. The EC2 instances access Amazon S3 over the internet, but they do not require any other network access.
A new requirement mandates that the network traffic for file transfers take a private route and not be sent over the internet.
Which change to the network architecture should a solutions architect recommend to meet this requirement?
A
Create a NAT gateway. Configure the route table for the public subnets to send traffic to Amazon S3 through the NAT gateway.
B
Configure the security group for the EC2 instances to restrict outbound traffic so that only traffic to the S3 prefix list is permitted.
C
Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to the route table for the private subnets.
D
Remove the internet gateway from the VPC. Set up an AWS Direct Connect connection, and route traffic to Amazon S3 over the Direct Connect connection.