Which solution will meet these requirements?

By:
On:
In: DOP-C01
Tagged:
With: 0 Comments
A company has 20 service teams.Each service team is responsible for its own microservice.Each service team uses a separate AWS account for its microservice and a VPC with the 192.168.0.0/22 CIDR block.The company manages the AWS accounts with AWS Organizations.Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer.The microservices communicate with each other across the public Internet.The company’s security team has issued a new guideline that all communication between microservices must use HTTPS over private network connections and cannot traverse the public Internet.A DevOps engineer must implement a solution that fulfills these obligations and minimizes the number of changes for each service team.

Which solution will meet these requirements?

Create a new AWS account in AWS Organizations. Create a VPC in this account and use AWS Resource Access Manager to share the private subnets of this VPC with the organization. Instruct the service teams to launch a new Network Load Balancer (NLB) and EC2 instances that use the shared private subnets. Use the NLB DNS names for communication between microservices.

Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use AWS PrivateLink to create VPC endpoints in each AWS account for the NLBs. Create subscriptions to each VPC endpoint in each of the other AWS accounts. Use the VPC endpoint DNS names for communication between microservices.

Create a Network Load Balancer (NLB) in each of the microservice VPCs. Create VPC peering connections between each of the microservice VPCs. Update the route tables for each VPC to use the peering links. Use the NLB DNS names for communication between microservices.

Create a new AWS account in AWS Organizations. Create a transit gateway in this account. and use AWS Resource Access Manager to share the transit gateway with the organization. In each of the microservice VPCs, create a transit gateway attachment to the shared transit gateway. Update the route tables of each VPC to use the transit gateway. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use the NLB DNS names for communication between microservices.

Explanations:

Creating a new AWS account and sharing VPC subnets using AWS Resource Access Manager would complicate the architecture and introduce additional management overhead. This solution does not provide the necessary private communication channels between the microservices and would still rely on public internet access for inter-service communication.

This solution uses Network Load Balancers (NLB) in each microservice VPC and AWS PrivateLink to establish VPC endpoints, allowing for private connectivity between the services. Each service team can continue using their existing VPCs while facilitating secure HTTPS communication without traversing the public internet, thus meeting the security guidelines efficiently.

Creating VPC peering connections would require managing multiple peering arrangements, leading to a complex mesh of connections. Each service team would have to update route tables and manage the scalability and maintenance of these connections, making this solution less efficient and more error-prone compared to AWS PrivateLink.

While using a transit gateway allows for easier management of inter-VPC communication, it introduces the need for a new AWS account and additional complexity by requiring transit gateway attachments and route table updates. This solution would not minimize changes for each service team and could be overkill compared to using AWS PrivateLink for simpler and more direct communication.

Leave a Reply

Your email address will not be published. Required fields are marked *

1 × four =