AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company runs an application in a VPC with public and private subnets. The VPC extends across multiple Availability Zones. The application runs on Amazon EC2 instances in private subnets. The application uses an Amazon Simple Queue Service (Amazon SQS) queue.
A solutions architect needs to design a secure solution to establish a connection between the EC2 instances and the SQS queue.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the private subnets. Add to the endpoint a security group that has an inbound access rule that allows traffic from the EC2 instances that are in the private subnets.
B
Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the public subnets. Attach to the interface endpoint a VPC endpoint policy that allows access from the EC2 instances that are in the private subnets.
C
Implement an interface VPC endpoint for Amazon SQS. Configure the endpoint to use the public subnets. Attach an Amazon SQS access policy to the interface VPC endpoint that allows requests from only a specified VPC endpoint.
D
Implement a gateway endpoint for Amazon SQS. Add a NAT gateway to the private subnets. Attach an IAM role to the EC2 instances that allows access to the SQS queue.
Explanation:
Explanation
Correct Answer: A
Why Option A is correct:
- Interface VPC Endpoint for SQS: Amazon SQS requires an interface VPC endpoint (AWS PrivateLink), not a gateway endpoint. Gateway endpoints are only available for S3 and DynamoDB.
- Private Subnets: The interface endpoint should be deployed in private subnets to keep traffic within the AWS network and avoid internet exposure.
- Security Group Configuration: Security groups attached to interface endpoints control inbound traffic. By configuring a security group that allows traffic from EC2 instances in private subnets, you create a secure, private connection.
- No Internet Access Required: EC2 instances in private subnets don't need internet access (NAT gateway) to reach SQS through the interface endpoint.
Why other options are incorrect:
Option B: Interface endpoints should be placed in private subnets, not public subnets. Placing them in public subnets defeats the purpose of keeping traffic private and secure.
Option C: Similar to B, placing the endpoint in public subnets is incorrect. Also, while VPC endpoint policies can control access, the primary security mechanism for interface endpoints is security groups.
Option D: Gateway endpoints are not available for Amazon SQS. Only S3 and DynamoDB support gateway endpoints. Additionally, adding a NAT gateway would route traffic through the internet, which is less secure and more expensive than using a VPC endpoint.
Key AWS Concepts:
- Interface VPC Endpoints (AWS PrivateLink): Provide private connectivity to AWS services without requiring internet gateways, NAT devices, or VPN connections.
- Security Groups for Interface Endpoints: Act as a firewall to control inbound traffic to the endpoint.
- Private Subnets: Keep resources isolated from the internet for enhanced security.
- Amazon SQS: Supports interface VPC endpoints for private access from within a VPC.
Comments
Loading comments...