ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 361 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 361
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A software as a service (SaaS) company uses AWS to host a service that is powered by AWS PrivateLink. The service consists of proprietary software that runs on three Amazon EC2 instances behind a Network Load Balancer (NLB). The instances are in private subnets in multiple Availability Zones in the eu-west-2 Region. All the company's customers are in eu-west-2.

However, the company now acquires a new customer in the us-east-1 Region. The company creates a new VPC and new subnets in us-east-1. The company establishes inter-Region VPC peering between the VPCs in the two Regions.

The company wants to give the new customer access to the SaaS service, but the company does not want to immediately deploy new EC2 resources in us-east-1.

Which solution will meet these requirements?

  • A. Configure a PrivateLink endpoint service in us-east-1 to use the existing NLB that is in eu-west-2. Grant specific AWS accounts access to connect to the SaaS service.
  • B. Create an NLB in us-east-1. Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.
  • C. Create an Application Load Balancer (ALB) in front of the EC2 instances in eu-west-2. Create an NLB in us-east-1. Associate the NLB that is in us-east-1 with an ALB target group that uses the ALB that is in eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.
  • D. Use AWS Resource Access Manager (AWS RAM) to share the EC2 instances that are in eu-west-2. In us-east-1, create an NLB and an instance target group that includes the shared EC2 instances from eu-west-2. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by cypkir at Nov. 22, 2023, 7:39 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
devalenzuela86
Highly Voted 2 years ago
Selected Answer: A
A Explanation: * Configuring a PrivateLink endpoint service in us-east-1 to use the existing NLB that is in eu-west-2 will allow the new customer to access the SaaS service without deploying new EC2 resources in us-east-1 1. * Granting specific AWS accounts access to connect to the SaaS service will ensure that only authorized users can access the service 1.
upvoted 18 times
abhitricanada
1 year, 10 months ago
Answer is A because ... VPC peering between the VPCs in the two Regions already done & company does not want to immediately deploy new EC2 resources in us-east-1, later on company will change the architecture
upvoted 2 times
...
Pilot
1 year, 12 months ago
Network Load Balancers now support connections from clients to IP-based targets in peered VPCs across different AWS Regions. Previously, access to Network Load Balancers from an inter-region peered VPC was not possible. With this launch, you can now have clients access Network Load Balancers over an inter-region peered VPC. Network Load Balancers can also load balance to IP-based targets that are deployed in an inter-region peered VPC. This support on Network Load Balancers is available in all AWS Regions. https://aws.amazon.com/about-aws/whats-new/2018/10/network-load-balancer-now-supports-inter-region-vpc-peering/ NLB support client from different region, I think A is correct.
upvoted 5 times
...
...
heatblur
Highly Voted 1 year, 12 months ago
Selected Answer: B
The best option among these is B. While it introduces some complexity, it's the most viable solution that aligns with AWS capabilities and the company's requirements. Creating an NLB in us-east-1 and targeting the IP addresses of the existing instances in eu-west-2 is a feasible approach. This setup allows the company to use their existing infrastructure in eu-west-2 while providing access to the customer in us-east-1 through the PrivateLink endpoint service in us-east-1. This avoids the immediate need to deploy new EC2 resources in the us-east-1 region. It can't be A because AWS PrivateLink endpoint services cannot span regions. They are region-specific, so an endpoint service in us-east-1 cannot directly use an NLB located in eu-west-2.
upvoted 17 times
ayadmawla
1 year, 11 months ago
But the company has establishing Inter-Region VPC Peering so the endpoint would work
upvoted 2 times
...
SKS
1 year, 7 months ago
Wrong on part where private link support for inter region vpc peering . https://aws.amazon.com/about-aws/whats-new/2018/10/aws-privatelink-now-supports-access-over-inter-region-vpc-peering/
upvoted 4 times
pk0619
11 months, 1 week ago
This is saying you can access privatelink in us-east-1 from ec2 instance in eu-west-1. It does not say that you can create a privatelink in us-east-1 for a resource like NLB in eu-west-1.
upvoted 1 times
...
...
liquen14
1 year, 8 months ago
I was unable to find documentation saying that an AWS PrivateLink endpoint requires the NLB to be in the same region but if you go to the console for instance here: https://eu-west-1.console.aws.amazon.com/vpcconsole/home?region=eu-west-1#CreateVpcEndpointServiceConfiguration: try to create an endpoint service and you don't have a NLB there the console explicitly states: "No Network Load Balancers or Gateway Load Balancers available in this Region." so for me A in invalid
upvoted 4 times
...
...
aka1177
Most Recent 7 hours, 35 minutes ago
Selected Answer: B
Be careful answer is B !! PrivateLink is used only within a single region or between VPCs in the same region !!!
upvoted 1 times
...
D_dee
1 month, 2 weeks ago
Selected Answer: B
A is incorrect bcos An AWS PrivateLink endpoint service must use an NLB in the same Region. You cannot associate an endpoint service in us-east-1 with an NLB in eu-west-2
upvoted 1 times
...
Blair77
1 month, 3 weeks ago
Selected Answer: B
B ! Why not A? You cannot configure a PrivateLink endpoint service in one region (us-east-1) to directly use a load balancer in another region (eu-west-2). An endpoint service must be in the same region as its associated NLB.
upvoted 1 times
...
fa6d93f
2 months, 1 week ago
Selected Answer: B
AWS PrivateLink does not support cross–Region endpoint services directly, so customers in us-east-1 cannot connect to a PrivateLink endpoint service running in eu-west-2 without a localized endpoint/NLB in their Region. Option B leverages inter-Region VPC peering to create an NLB in us-east-1; this NLB can forward traffic to the EC2 instances in eu-west-2 by using an IP target group with their private IPs. This setup does not require any new EC2 instances in us-east-1, satisfying the company's requirement to avoid immediate new deployments in that Region.
upvoted 3 times
...
ce0b8b3
3 months, 1 week ago
Selected Answer: B
A - Not possible. An endpoint service is regional and can only point to an NLB in the same region. You cannot directly associate a PrivateLink service in us-east-1 with an NLB in eu-west-2.
upvoted 2 times
...
Al8282
4 months, 2 weeks ago
Selected Answer: A
As of Dec 2024 A is right: "With the launch of native cross-region connectivity for AWS PrivateLink, you can now share and access VPC endpoint services across different Regions." It's less complex and fully supproted. https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-cross-region-connectivity-for-aws-privatelink/#:~:text=Overview,a%20variety%20of%20use%2Dcases.
upvoted 2 times
...
strike3test
4 months, 3 weeks ago
Selected Answer: A
"Configure a PrivateLink endpoint service in us-east-1 to use the existing NLB in eu-west-2" — This matches the cross-region PrivateLink model, where the endpoint service is hosted in eu-west-2 but accessible from us-east-1 via PrivateLink endpoints. The service provider grants access to specific AWS accounts. This is exactly the new cross-region PrivateLink feature.
upvoted 2 times
...
dfd5668
5 months, 2 weeks ago
Selected Answer: A
Now A is the answer
upvoted 2 times
...
kyo
9 months, 2 weeks ago
Selected Answer: B
This question was written before AWS PrivateLink supported cross-region connectivity. At that time, the only way to give a customer in us-east-1 access to a service in eu-west-2 without deploying resources in us-east-1 was the complex workaround described in Option B. This involved creating an NLB in us-east-1 and using an IP target group pointing back to the instances in eu-west-2. It was a complicated solution, but it was the only way to achieve the desired outcome given the limitations at the time. Therefore, B was the correct answer for the question as it was originally written. But now the answer has changed to A.
upvoted 5 times
...
Spike2020
11 months, 3 weeks ago
Selected Answer: B
As of November 2024, AWS PrivateLink supports native cross-region connectivity. However, since this exam question appears to be set before this feature was available, we need to consider the solution using the previous architecture patterns. Option A: Not viable because PrivateLink endpoint services must be in the same region as the NLB
upvoted 3 times
...
TomTom
12 months ago
Selected Answer: A
Answer A is correct (now) Recently AWS announce, Now PrivateLink endpoint supports native cross-region connectivity. https://aws.amazon.com/about-aws/whats-new/2024/11/aws-privatelink-across-region-connectivity/
upvoted 2 times
altonh
9 months, 2 weeks ago
A is still incorrect. Note that A requires creating an ENDPOINT SERVICE in us-east-1 that points to an NLB in us-west-2. This is not possible. What you can do is create an endpoint service in us-west-2 that points to the NLB in us-west-2 and then make the endpoint service cross-region. Then, in us-east-1, you can create an ENDPOINT that points to the ENDPOINT SERVICE in us-east-1.
upvoted 1 times
...
alexbraila
11 months, 4 weeks ago
The article refers to Interface VPC endpoints connectivity to VPC endpoint services, but this is not the use case here. The comment of liquen14 is still valid, I tested today 3rd of Dec 2024. When creating an endpoint service, you can only select load balancers in the same region. Hence for the current use case we must create an NLB in us-east-1, which will be able to connect to the EC2 instances over the peered VPC due to the link in Pilot's comment (however, his comment is not right, A does not work): https://aws.amazon.com/about-aws/whats-new/2018/10/network-load-balancer-now-supports-inter-region-vpc-peering/
upvoted 1 times
alexbraila
11 months, 4 weeks ago
Bottom line, A does not work, B does
upvoted 1 times
...
...
...
youonebe
12 months ago
Selected Answer: B
Creating an NLB in us-east-1 with IP target group pointing to the existing eu-west-2 instances is the most efficient solution because: IP target groups can route traffic across VPC peering connections This configuration allows the use of existing EC2 instances while providing local access in us-east-1 PrivateLink endpoint service can be configured with the new NLB to provide secure access
upvoted 2 times
...
0b43291
1 year ago
Selected Answer: B
The correct solution is Option B: Create an NLB in us-east-1. Create an IP target group that uses the IP addresses of the company's instances in eu-west-2 that host the SaaS service. Configure a PrivateLink endpoint service that uses the NLB that is in us-east-1. Grant specific AWS accounts access to connect to the SaaS service. Option A is not possible because PrivateLink endpoint services cannot span across AWS Regions. The existing NLB in eu-west-2 cannot be directly used for a PrivateLink endpoint service in us-east-1.
upvoted 1 times
...
AzureDP900
1 year ago
correct answer : A Using an existing NLB in eu-west-2 as the basis for a PrivateLink endpoint service in us-east-1 allows the company to quickly provide access to its SaaS service without having to create new EC2 resources or configure complex networking setups.
upvoted 1 times
...
Woody1848
1 year, 1 month ago
Selected Answer: A
"An interface endpoint is essentially a service-level ENI. The service is attached straight to the VPC subnet through the ENI. This allows us to assign a private IP address from the subnet pool directly to the service." (AWS Certified Advanced Networking - Specialty Exam Guide pg. 36) There is no need to create EC2 resources in us-east-1 when creating a PrivateLink endpoint.
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel