AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company deploys Amazon EC2 instances that run in a VPC. The EC2 instances load source data into Amazon S3 buckets so that the data can be processed in the future. According to compliance laws, the data must not be transmitted over the public internet. Servers in the company's on-premises data center will consume the output from an application that runs on the EC2 instances.
Which solution will meet these requirements?
Other
Community
UAnonymous
A
Deploy an interface VPC endpoint for Amazon EC2. Create an AWS Site-to-Site VPN connection between the company and the VPC.
B
Deploy a gateway VPC endpoint for Amazon S3. Set up an AWS Direct Connect connection between the on-premises network and the VPC.
C
Set up an AWS Transit Gateway connection from the VPC to the S3 buckets. Create an AWS Site-to-Site VPN connection between the company and the VPC.
D
Set up proxy EC2 instances that have routes to NAT gateways. Configure the proxy EC2 instances to fetch S3 data and feed the application instances.
Explanation:
Explanation
Correct Answer: B
Why Option B is correct:
-
Gateway VPC Endpoint for Amazon S3: This allows EC2 instances in the VPC to access S3 buckets without traversing the public internet. The traffic stays within the AWS network, meeting the compliance requirement that data must not be transmitted over the public internet.
-
AWS Direct Connect connection: This provides a dedicated, private network connection from the on-premises data center to AWS. This ensures that servers in the company's on-premises data center can consume the output from the EC2 instances without going over the public internet.
Why other options are incorrect:
Option A: Interface VPC endpoint for Amazon EC2 is not relevant for accessing S3. EC2 instances don't need a VPC endpoint to communicate with each other within the VPC. Also, Site-to-Site VPN still uses the public internet, which doesn't meet the requirement for on-premises connectivity.
Option C: AWS Transit Gateway is used for connecting multiple VPCs and on-premises networks, but it doesn't provide direct private access to S3. S3 access would still go through the internet unless combined with other solutions like VPC endpoints.
Option D: Proxy EC2 instances with NAT gateways would still route traffic through the public internet to access S3, violating the compliance requirement. NAT gateways provide internet access but don't keep traffic within AWS's private network.
Key AWS Services Used:
- Gateway VPC Endpoint for S3: Provides private connectivity between VPC and S3 without internet traversal
- AWS Direct Connect: Dedicated network connection from on-premises to AWS, bypassing the public internet
This solution ensures both requirements are met:
- EC2 → S3 traffic stays within AWS network (via VPC endpoint)
- On-premises → EC2 traffic stays on private connection (via Direct Connect)
Comments
Loading comments...