Which solution will meet these requirements?

By:
On:
In: DOP-C02
Tagged:
With: 0 Comments
A company has 20 service teams.Each service team is responsible for its own microservice.Each service team uses a separate AWS account for its microservice and a VPC with the 192.168.0.0/22 CIDR block.The company manages the AWS accounts with AWS Organizations.Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer.The microservices communicate with each other across the public internet.The company’s security team has issued a new guideline that all communication between microservices must use HTTPS over private network connections and cannot traverse the public internet.A DevOps engineer must implement a solution that fulfills these obligations and minimizes the number of changes for each service team.

Which solution will meet these requirements?

Create a new AWS account in AWS Organizations. Create a VPC in this account, and use AWS Resource Access Manager to share the private subnets of this VPC with the organization. Instruct the service teams to launch a new Network Load Balancer (NLB) and EC2 instances that use the shared private subnets. Use the NLB DNS names for communication between microservices.

Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use AWS PrivateLink to create VPC endpoints in each AWS account for the NLBs. Create subscriptions to each VPC endpoint in each of the other AWS accounts. Use the VPC endpoint DNS names for communication between microservices.

Create a Network Load Balancer (NLB) in each of the microservice VPCs. Create VPC peering connections between each of the microservice VPCs. Update the route tables for each VPC to use the peering links. Use the NLB DNS names for communication between microservices.

Create a new AWS account in AWS Organizations. Create a transit gateway in this account, and use AWS Resource Access Manager to share the transit gateway with the organization. In each of the microservice VPCs, create a transit gateway attachment to the shared transit gateway. Update the route tables of each VPC to use the transit gateway. Create a Network Load Balancer (NLB) in each of the microservice VPCs. Use the NLB DNS names for communication between microservices.

Explanations:

This option involves creating a new AWS account and using AWS Resource Access Manager to share private subnets, which may complicate the setup and increase changes for each service team. Additionally, it does not meet the requirement for private communication since it relies on public internet communication.

This solution uses a Network Load Balancer in each VPC and AWS PrivateLink to create VPC endpoints, allowing private communication between microservices without traversing the public internet. This approach minimizes changes needed for service teams, as they only need to configure the VPC endpoints to connect securely.

Creating VPC peering connections between each microservice VPC can lead to a complex network setup, especially with 20 VPCs. This solution requires extensive route table updates and management, which may not be efficient or scalable, and it still does not enforce HTTPS.

Although using a transit gateway allows for a more centralized routing mechanism, it requires significant changes for each service team to set up the transit gateway and its attachments. It also involves creating a new AWS account, which is not necessary when a simpler solution like option B is available.

Leave a Reply

Your email address will not be published. Required fields are marked *

nineteen + fourteen =