AWS Certified Solutions Architect - Associate

Explanation

Correct Answer: B

Why Option B is correct:

1. REST API requirement: The question explicitly states that the company "must use REST APIs to present the frontend of the application to users." Option B correctly uses a REST API with Amazon API Gateway.
2. Private subnet hosting: The backend services are hosted in containers in private VPC subnets, which is correctly implemented using Amazon ECS in a private subnet.
3. Private VPC link: To allow API Gateway to access services in private subnets, a VPC link (also called VPC endpoint) is required. This establishes a private connection between API Gateway and the VPC without exposing the backend services to the internet.

Why other options are incorrect:

• Option A: Uses WebSocket API instead of REST API, which violates the requirement for REST APIs.
• Option C: Uses WebSocket API instead of REST API, and security groups alone cannot enable API Gateway to access private subnets. Security groups control traffic at the instance level, but API Gateway needs a VPC link to reach private subnets.
• Option D: Uses REST API correctly, but security groups cannot enable API Gateway to access private subnets. API Gateway operates outside the VPC and needs a VPC link to establish connectivity to resources in private subnets.

Key AWS Concepts:

• API Gateway VPC Link: Enables API Gateway to securely access resources in a VPC without exposing them to the internet.
• Private Subnets: Subnets without internet gateways, requiring private connectivity solutions like VPC links for external services to access them.
• Security Groups vs VPC Links: Security groups control traffic at the instance/container level, while VPC links provide the network-level connectivity between API Gateway and the VPC.