Which solution will meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company is hosting an image-processing service on AWS in a VPC.The VPC extends across two Availability Zones.Each Availability Zone contains one public subnet and one private subnet.The service runs on Amazon EC2 instances in the private subnets.An Application Load Balancer in the public subnets is in front of the service.The service needs to communicate with the internet and does so through two NAT gateways.The service uses Amazon S3 for image storage.The EC2 instances retrieve approximately 1 ׀¢׀’ of data from an S3 bucket each day.The company has promoted the service as highly secure.A solutions architect must reduce cloud expenditures as much as possible without compromising the service’s security posture or increasing the time spent on ongoing operations.

Which solution will meet these requirements?

Replace the NAT gateways with NAT instances. In the VPC route table, create a route from the private subnets to the NAT instances.

Move the EC2 instances to the public subnets. Remove the NAT gateways.

Set up an S3 gateway VPC endpoint in the VPC. Attach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.

Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host the image on the EFS volume.

Explanations:

Replacing NAT gateways with NAT instances may reduce costs but introduces more operational overhead for managing and scaling NAT instances. This approach compromises the high availability and fault tolerance of the solution.

Moving EC2 instances to the public subnets would expose them directly to the internet, violating the security requirement of keeping the service highly secure. Additionally, it eliminates the use of private subnets, which are best practices for security.

Setting up an S3 gateway VPC endpoint eliminates the need for NAT gateways while maintaining secure communication between the EC2 instances and S3. This reduces costs and operational complexity while preserving security by keeping traffic within the AWS network.

Amazon Elastic File System (EFS) is not necessary for this scenario because the service uses Amazon S3 for image storage, and the solution involves reducing costs. EFS is designed for shared file systems, not for storing large amounts of data for image processing as S3 is better suited.

Leave a Reply

Your email address will not be published. Required fields are marked *

13 − 1 =