Which of the following should the Solutions Architect do to achieve this target architecture?

By: study aws cloud

On: January 11, 2025

Tagged: Solutions Architect Professional

With: 0 Comments

A company has decided to move some workloads onto AWS to create a grid environment to run market analytics.The grid will consist of many similar instances, spun-up by a job-scheduling function.Each time a large analytics workload is completed, a new VPC is deployed along with job scheduler and grid nodes.Multiple grids could be running in parallel.Key requirements are:✑ Grid instances must communicate with Amazon S3 to retrieve data to be processed.✑ Grid instances must communicate with Amazon DynamoDB to track intermediate data.✑ The job scheduler needs only to communicate with the Amazon EC2 API to start new grid nodes.A key requirement is that the environment has no access to the internet, either directly or via the on-premises proxy.However, the application needs to be able to seamlessly communicate to Amazon S3, Amazon DynamoDB, and Amazon EC2 API, without the need for reconfiguration for each new deployment.

Which of the following should the Solutions Architect do to achieve this target architecture?

(Choose three.)

Enable VPC endpoints for Amazon S3 and DynamoDB.

Disable Private DNS Name Support.

Configure the application on the grid instances to use the private DNS name of the Amazon S3 endpoint.

Populate the on-premises DNS server with the private IP addresses of the EC2 endpoint.

Enable an interface VPC endpoint for EC2.

Configure Amazon S3 endpoint policy to permit access only from the grid nodes.

Explanations:

Enabling VPC endpoints for Amazon S3 and DynamoDB allows private connectivity to these services without internet access, meeting the requirement for the grid instances to communicate privately with S3 and DynamoDB.

Disabling Private DNS Name Support would prevent the grid instances from resolving the AWS service endpoints, complicating connectivity. Private DNS is required to access AWS services without internet access.

Configuring the application to use the private DNS name of the Amazon S3 endpoint is unnecessary if Private DNS is enabled for the VPC endpoints, as AWS services will be accessible via standard DNS names.

Populating the on-premises DNS server with private IPs of the EC2 endpoint is irrelevant since the grid operates in AWS without direct on-premises connectivity or reliance on external DNS for VPC endpoint access.

Enabling an interface VPC endpoint for EC2 allows the job scheduler to privately communicate with the EC2 API to manage grid nodes, meeting the requirement for private EC2 API connectivity without internet access.

Configuring an Amazon S3 endpoint policy to restrict access to the grid nodes enhances security by ensuring only authorized grid instances can access S3, reducing exposure of S3 data to other potential AWS resources.

Previous Post: Which of the following approaches grants the finance staff the permissions they require without granting any unnecessary permissions?

Next Post: Which solution will meet this requirement?

Leave a Reply Cancel reply