AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company uses Amazon API Gateway to run a private gateway with two REST APIs in the same VPC. The BuyStock RESTful web service calls the CheckFunds RESTful web service to ensure that enough funds are available before a stock can be purchased. The company has noticed in the VPC flow logs that the BuyStock RESTful web service calls the CheckFunds RESTful web service over the internet instead of through the VPC. A solutions architect must implement a solution so that the APIs communicate through the VPC.

Which solution will meet these requirements with the FEWEST changes to the code?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Add an X-API-Key header in the HTTP header for authorization.

Use an interface endpoint.

Use a gateway endpoint.

Add an Amazon Simple Queue Service (Amazon SQS) queue between the two REST APIs.

Explanation:

Explanation

Correct Answer: B - Use an interface endpoint.

Why this is correct:

Private API Gateway Setup: The company is using Amazon API Gateway as a private gateway within a VPC. Private API Gateway endpoints are only accessible from within the VPC.
Current Issue: The BuyStock API is calling the CheckFunds API over the internet instead of through the VPC. This happens because when one API Gateway endpoint calls another API Gateway endpoint, it needs to resolve the DNS name of the target API.
Interface Endpoint Solution:
- An interface endpoint (AWS PrivateLink) creates a private connection between the VPC and AWS services without going over the internet.
- By creating a VPC endpoint for API Gateway (interface endpoint), the DNS resolution for the API Gateway endpoint will resolve to a private IP address within the VPC.
- This ensures that traffic between the two APIs stays entirely within the VPC network.
- This solution requires minimal code changes - only the endpoint URL might need to be updated to use the VPC endpoint DNS name.

Why other options are incorrect:

A. Add an X-API-Key header in the HTTP header for authorization.

This addresses authentication/authorization but does not solve the routing problem. The traffic would still go over the internet.

C. Use a gateway endpoint.

Gateway endpoints are only for Amazon S3 and DynamoDB, not for API Gateway. API Gateway requires interface endpoints (PrivateLink).

D. Add an Amazon Simple Queue Service (Amazon SQS) queue between the two REST APIs.

This would require significant architectural changes and code modifications to implement asynchronous communication via queues, which is not the requirement with the "FEWEST changes to the code."

Key AWS Concepts:

VPC Endpoints: Enable private connectivity between VPCs and AWS services without internet gateways, NAT devices, VPN connections, or AWS Direct Connect.
Interface Endpoints: Powered by AWS PrivateLink, they provide private connectivity to services like API Gateway, S3 (via gateway endpoint is different), Kinesis, etc.
Gateway Endpoints: Only for S3 and DynamoDB, use route tables to route traffic.
Private API Gateway: Can only be accessed from within the VPC using VPC endpoints.

Implementation Steps:

Create a VPC endpoint for API Gateway (interface endpoint) in the same VPC.
Update the BuyStock API to call the CheckFunds API using the VPC endpoint DNS name.
Ensure proper security groups and network ACLs allow traffic between the APIs through the VPC endpoint.

Powered ByGPT-5.2

Comments

Loading comments...