Which change to the network architecture should a solutions architect recommend to meet this requirement?

By:
On:
In: SAA-C03
Tagged:
With: 0 Comments
A medical records company is hosting an application on Amazon EC2 instances.The application processes customer data files that are stored on Amazon S3.The EC2 instances are hosted in public subnets.The EC2 instances access Amazon S3 over the internet, but they do not require any other network access.A new requirement mandates that the network traffic for file transfers take a private route and not be sent over the internet.

Which change to the network architecture should a solutions architect recommend to meet this requirement?

Create a NAT gateway. Configure the route table for the public subnets to send traffic to Amazon S3 through the NAT gateway.

Configure the security group for the EC2 instances to restrict outbound traffic so that only traffic to the S3 prefix list is permitted.

Move the EC2 instances to private subnets. Create a VPC endpoint for Amazon S3, and link the endpoint to the route table for the private subnets.

Remove the internet gateway from the VPC. Set up an AWS Direct Connect connection, and route traffic to Amazon S3 over the Direct Connect connection.

Explanations:

A NAT gateway allows instances in private subnets to access the internet, but it does not route traffic from public subnets to S3 privately.

While restricting outbound traffic to only allow access to S3 is a good practice, it does not ensure that the traffic is routed privately rather than over the internet.

Moving EC2 instances to private subnets and creating a VPC endpoint for S3 allows traffic to flow privately without going over the internet, fulfilling the requirement.

Removing the internet gateway and setting up Direct Connect may not be necessary for accessing S3 privately and adds complexity; a VPC endpoint is sufficient.

Leave a Reply

Your email address will not be published. Required fields are marked *

11 − seven =