AWS Certified Solutions Architect - Associate

Explanation

To ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet, the solutions architect should:

B. Create a gateway endpoint for DynamoDB - This is the primary requirement. A VPC endpoint for DynamoDB is a gateway endpoint that provides a private connection between your VPC and DynamoDB without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

A. Create a route table entry for the endpoint - After creating the gateway endpoint, you need to add a route to your route table that directs traffic destined for DynamoDB to the VPC endpoint. This ensures that traffic stays within the AWS network.

Why other options are incorrect:

C. Create an interface endpoint for Amazon EC2 - Interface endpoints are for AWS services that use PrivateLink (like Amazon S3, Amazon SNS, etc.), not for DynamoDB. DynamoDB uses gateway endpoints.

D. Create an elastic network interface for the endpoint in each of the subnets of the VPC - This is required for interface endpoints (PrivateLink), not for gateway endpoints. Gateway endpoints don't use ENIs.

E. Create a security group entry in the endpoint's security group to provide access - Gateway endpoints don't have security groups. Security groups are associated with interface endpoints, not gateway endpoints.

Key Points:

• Gateway endpoints are available for Amazon S3 and DynamoDB
• They are free to use (no hourly charges)
• They require route table updates to direct traffic
• They don't use ENIs or security groups
• Traffic stays within the AWS network, improving security and reducing costs