66. VPCs

We may consider VPC (Virtual Private Cloud) as a virtual or logical data center in the cloud. VPC lets us to provision a logically isolated section of the AWS cloud where we can launch AWS resources in a virtual network that we define. We have complete control over virtual networking environment, including selection of own IP address range, creation of subnets and configuration of route tables and network gateways. We can easily customize the network configuration for Amazon VPC. For example, we can create a public-facing subnet for webservers that has access to the internet, and place your backend systems such as databases or application servers in a private-facing subnet with no internet access. We can leverage multiple layers of security, including security groups and NACLs, to help control access to EC2 instances in each subnet. Also we can create a hardware VPN connection between corporate datacenter and VPC and leverage the AWS cloud as an extension of corporate datacenter.

Using VPC we can
i) Launch instances into a subnet of our choice
ii) Assign custom IP address ranges in each subnet
iii) Configure route tables between subnets
iv) Create internet gateway and attach it to our VPC
v) Much better security control over your AWS resources
vi) Instance security groups
vii) Subnet network ACLs

Default VPC vs Custom VPC:
i) Default VPC is user friendly, allowing us to immediately deploy the instances.
ii) All subnets in default VPC have a route out to the internet
iii) Each EC2 instance has both a public and private IP address.

VPC Peering:
i) Allows to connect one VPC with another via a direct network route using private IP addresses
ii) Instances behave as if they were on the same private network
iii) We can peer VPCs with other AWS accounts as well as with other VPCs in the same account
iv) Peering is in a star configuration. i.e 1 central VPC peers with 4 others. No transitive peering.
v) We can peer between regions.

Tips:
i) Consists of Internet gateways (or virtual private gateways), route tables, NACLs, subnets and security groups.
ii) 1 subnet = 1 AZ. We can have multiple subnets in 1 AZ
iii) Security groups are stateful. NACLs are stateless

Question 1:
What AWS services work in concert to integrate security monitoring and
audit within a VPC? (Select three)
A. Syslog
B. CloudWatch
C. WAF
D. CloudTrail
E. VPC Flow Log
Answer: B, D, E

Question 2:
What statements correctly describe support for Microsoft SQL Server within
Amazon VPC? (Select three)
A. read/write replica
B. read replica only
C. vertical scaling
D. native load balancing
E. EBS storage only
F. S3 storage only
Answer (B,C,D)

Question 3:
You have enabled Amazon RDS database services in VPC1 for an
application with public web servers in VPC2. How do you connect the web
servers to the RDS database instance so they can communicate considering the
VPC’s are in different regions?
A. VPC endpoints
B. VPN gateway
C. path-based routing
D. publicly accessible database
E. VPC peering
Answer (D)

Question 4:
Company-A operates a business system that uses AWS resources such as VPC. Recently, the management of company-A has acquired company-B, and you. as a solution architect, have been put in charge of IT integration between these two companies. Company-B also has its own set of resources that are hosted on AWS. The requirement is to allow AWS resources in the company-A’s VPC to access AWS resources in Company B’s VPC. What action do you need to take to meet this requirement?
Options:
A. Install a NAT instance in each VPC and connect between VPCs
B. Install a NAT gateway in each VPC and connect between VPCs
C. Connect VPC’s through the organization settings of AWS Organizations
D. Connect VPCs by VPC peering
Answer: D
Explanation:
A VPC peering connection allows you to network between two VPCs for private traffic routing. This allows instances configured in two VPCs to communicate with each other as if they were in the same network. Therefore, option 4 is the correct answer. A VPC peering connection is a network connection that allows you to route traffic between VPCs using a private IPv4 or IPv6 address. This allows instances in both VPCs to communicate with each other as if they were in the same network. VPC peering connections are work for connections between VPCs from one AWS account, or even between multiple AWS accounts, regardless of region.
Options 1 and 2 are incorrect. A NAT instance or NAT gateway is a gateway that allows an instance in a private subnet to reply to the Internet. This is done by translating a private IP address into a public IP address. This function, however, has nothing to do with the connection between VPCs.
Option 3 is incorrect. AWS Organizations is a feature that enables integrated management of multiple AWS accounts. You can use this to share VPCs between accounts, but it will not be used to connect between VPCs.

Question 5:
As a Solutions Architect, you are building an application on AWS. This application is setting up an EC2 instance with a public IP in the subnet of a VPC. It appears you couldn’t connect to your EC2 instance over the internet. The security group seems to be set up correctly.
What should I do to connect to an EC2 instance from the internet?
Options:
A. Set the correct route in the route table
B. Set Elastic IP to your EC2 instance
C. Set the secondary IP address to your EC2 instance
D. Set up a NAT gateway
Answer: A
Explanation
In order for this EC2 instance to be accessible from the Internet, the security groups and network ACLs must be properly configured and the subnet’s route table in place must have an entry to the Internet gateway. Therefore, option 1 is the correct answer.
Option 2 is incorrect. Elastic IP is not required to access from the internet.
Option 3 is incorrect. A secondary IP is not required to access from the internet.
Option 4 is incorrect. The NAT gateway is used to access an EC2 instance in the private subnet, not public.

Question 6:
A company has two accounts for perform testing and each account has a single VPC: VPC-TEST1 and VPC-TEST2. The operations team require a method of securely copying files between Amazon EC2 instances in these VPCs. The connectivity should not have any single points of failure or bandwidth constraints.
Which solution should a Solutions Architect recommend?
Options:
A. Attach a virtual private gateway to VPC-TEST1 and VPC-TEST2 and enable routing
B. Create a VPC peering connection between VPC-TEST1 and VPC-TEST2
C. Create a VPC gateway endpoint for each EC2 instance and update route tables
D. Attach a Direct Connect gateway to VPC-TEST1 and VPC-TEST2 and enable routing
Answer: B
Explanation
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.
You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection).
CORRECT: “Create a VPC peering connection between VPC-TEST1 and VPC-TEST2” is the correct answer.
INCORRECT: “Create a VPC gateway endpoint for each EC2 instance and update route tables” is incorrect. You cannot create VPC gateway endpoints for Amazon EC2 instances. These are used with DynamoDB and S3 only.
INCORRECT: “Attach a virtual private gateway to VPC-TEST1 and VPC-TEST2 and enable routing” is incorrect. You cannot create an AWS Managed VPN connection between two VPCs.
INCORRECT: “Attach a Direct Connect gateway to VPC-TEST1 and VPC-TEST2 and enable routing” is incorrect. Direct Connect gateway is used to connect a Direct Connect connection to multiple VPCs, it is not useful in this scenario as there is no Direct Connect connection.

Question 7:
The sourcing team at the US headquarters of a global e-commerce company is preparing a spreadsheet of the new product catalog. The spreadsheet is saved on an EFS file system created in us-east-1 region. The sourcing team counterparts from other AWS regions such as Asia Pacific and Europe also want to collaborate on this spreadsheet.
As a solutions architect, what is your recommendation to enable this collaboration with the LEAST amount of operational overhead?
Options
A. The spreadsheet will have to be copied in Amazon S3 which can then be accessed from any AWS region
B. The spreadsheet data will have to be moved into an RDS MySQL database which can then be accessed from any AWS region
C. The spreadsheet on the EFS file system can be accessed in other AWS regions by using an inter-region VPC peering connection
D. The spreadsheet will have to be copied into EFS file systems of other AWS regions as EFS is a regional service and it does not allow access from other AWS regions
Answer: C
Explanation
Correct option:
The spreadsheet on the EFS file system can be accessed in other AWS regions by using an inter-region VPC peering connection
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources.
Amazon EFS is a regional service storing data within and across multiple Availability Zones (AZs) for high availability and durability. Amazon EC2 instances can access your file system across AZs, regions, and VPCs, while on-premises servers can access using AWS Direct Connect or AWS VPN.
You can connect to Amazon EFS file systems from EC2 instances in other AWS regions using an inter-region VPC peering connection, and from on-premises servers using an AWS VPN connection. So this is the correct option.
Incorrect options:
The spreadsheet will have to be copied in Amazon S3 which can then be accessed from any AWS region
The spreadsheet data will have to be moved into an RDS MySQL database which can then be accessed from any AWS region
Copying the spreadsheet into S3 or RDS database is not the correct solution as it involves a lot of operational overhead. For RDS, one would need to write custom code to replicate the spreadsheet functionality running off of the database. S3 does not allow in-place edit of an object. Additionally, it’s also not POSIX compliant. So one would need to develop a custom application to “simulate in-place edits” to support collabaration as per the use-case. So both these options are ruled out.
The spreadsheet will have to be copied into EFS file systems of other AWS regions as EFS is a regional service and it does not allow access from other AWS regions – Creating copies of the spreadsheet into EFS file systems of other AWS regions would mean no collaboration would be possible between the teams. In this case, each team would work on “its own file” instead of a single file accessed and updated by all teams. Hence this option is incorrect.

Question 8:
A systems administrator has created a private hosted zone and associated it with a Virtual Private Cloud (VPC). However, the DNS queries for the private hosted zone remain unresolved.
As a Solutions Architect, can you identify the Amazon VPC options to be configured in order to get the private hosted zone to work?
• Enable DNS hostnames and DNS resolution for private hosted zones (Correct)
• Fix the Name server (NS) record and Start Of Authority (SOA) records that may have been created with wrong configurations
• Remove any overlapping namespaces for the private and public hosted zones
• Fix conflicts between your private hosted zone and any Resolver rule that routes traffic to your network for the same domain name, as it results in ambiguity over the route to be taken
Explanation
Correct option:
Enable DNS hostnames and DNS resolution for private hosted zones – DNS hostnames and DNS resolution are required settings for private hosted zones. DNS queries for private hosted zones can be resolved by the Amazon-provided VPC DNS server only. As a result, these options must be enabled for your private hosted zone to work.
DNS hostnames: For non-default virtual private clouds that aren’t created using the Amazon VPC wizard, this option is disabled by default. If you create a private hosted zone for a domain and create records in the zone without enabling DNS hostnames, private hosted zones aren’t enabled. To use a private hosted zone, this option must be enabled.
DNS resolution: Private hosted zones accept DNS queries only from a VPC DNS server. The IP address of the VPC DNS server is the reserved IP address at the base of the VPC IPv4 network range plus two. Enabling DNS resolution allows you to use the VPC DNS server as a Resolver for performing DNS resolution. Keep this option disabled if you’re using a custom DNS server in the DHCP Options set, and you’re not using a private hosted zone.
Incorrect options:
Remove any overlapping namespaces for the private and public hosted zones – If you have private and public hosted zones that have overlapping namespaces, such as example.com and accounting.example.com, then the Resolver routes traffic based on the most specific match. It won’t result in unresolved queries, hence this option is wrong.
Fix the Name server (NS) record and Start Of Authority (SOA) records that may have been created with wrong configurations – When you create a hosted zone, Amazon Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record for the zone for public hosted zone. However, this issue is about the private hosted zone, hence this is an incorrect option.
Fix conflicts between your private hosted zone and any Resolver rule that routes traffic to your network for the same domain name, as it results in ambiguity over the route to be taken – If you have a private hosted zone (example.com) and a Resolver rule that routes traffic to your network for the same domain name, the Resolver rule takes precedence. It won’t result in unresolved queries.

Question 9:
You have multiple AWS accounts within a single AWS Region managed by AWS Organizations and you would like to ensure all EC2 instances in all these accounts can communicate privately. Which of the following solutions provides the capability at the CHEAPEST cost?
A• Create a VPC peering connection between all VPCs
B• Create a VPC in an account and share one or more of its subnets with the other accounts using Resource Access Manager
C• Create a Private Link between all the EC2 instances
D• Create a Transit Gateway and link all the VPC in all the accounts together
Answer: B
Explanation
Correct option:
Create a VPC in an account and share one or more of its subnets with the other accounts using Resource Access Manager
AWS Resource Access Manager (RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization. You can share AWS Transit Gateways, Subnets, AWS License Manager configurations, and Amazon Route 53 Resolver rules resources with RAM. RAM eliminates the need to create duplicate resources in multiple accounts, reducing the operational overhead of managing those resources in every single account you own. You can create resources centrally in a multi-account environment, and use RAM to share those resources across accounts in three simple steps: create a Resource Share, specify resources, and specify accounts. RAM is available to you at no additional charge.
The correct solution is to share the subnet(s) within a VPC using RAM. This will allow all EC2 instances to be deployed in the same VPC (although from different accounts) and easily communicate with one another.
Incorrect options:
Create a Private Link between all the EC2 instances – AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. Private Link is a distractor in this question. Private Link is leveraged to create a private connection between an application that is fronted by an NLB in an account, and an Elastic Network Interface (ENI) in another account, without the need of VPC peering and allowing the connections between the two to remain within the AWS network.
Create a VPC peering connection between all VPCs – A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your VPCs, or with a VPC in another AWS account. The VPCs can be in different regions (also known as an inter-region VPC peering connection). VPC peering connections will work, but won’t efficiently scale if you add more accounts (you’ll have to create many connections).
Create a Transit Gateway and link all the VPC in all the accounts together – AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. A Transit Gateway will work but will be an expensive solution. Here we want to minimize cost.

Question 10:
An e-commerce company operates multiple AWS accounts and has interconnected these accounts in a hub-and-spoke style using the AWS Transit Gateway. VPCs have been provisioned across these AWS accounts to facilitate network isolation.
Which of the following solutions would reduce both the administrative overhead and the costs while providing shared access to services required by workloads in each of the VPCs?
A• Build a shared services VPC
B• Use Fully meshed VPC Peers
C• Use VPCs connected with AWS Direct Connect
D• Use Transit VPC to reduce cost and share the resources across VPCs
Answer: A
Explanation
Correct option:
Build a shared services VPC
Consider an organization that has built a hub-and-spoke network with AWS Transit Gateway. VPCs have been provisioned into multiple AWS accounts, perhaps to facilitate network isolation or to enable delegated network administration. When deploying distributed architectures such as this, a popular approach is to build a “shared services VPC, which provides access to services required by workloads in each of the VPCs. This might include directory services or VPC endpoints. Sharing resources from a central location instead of building them in each VPC may reduce administrative overhead and cost.
A VPC endpoint allows you to privately connect your VPC to supported AWS services without requiring an Internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Endpoints are virtual devices that are horizontally scaled, redundant, and highly available VPC components. They allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.
VPC endpoints enable you to reduce data transfer charges resulting from network communication between private VPC resources (such as Amazon Elastic Cloud Compute—or EC2—instances) and AWS Services (such as Amazon Quantum Ledger Database, or QLDB). Without VPC endpoints configured, communications that originate from within a VPC destined for public AWS services must egress AWS to the public Internet in order to access AWS services. This network path incurs outbound data transfer charges. Data transfer charges for traffic egressing from Amazon EC2 to the Internet vary based on volume. With VPC endpoints configured, communication between your VPC and the associated AWS service does not leave the Amazon network. If your workload requires you to transfer significant volumes of data between your VPC and AWS, you can reduce costs by leveraging VPC endpoints.
Incorrect options:
Use Transit VPC to reduce cost and share the resources across VPCs – Transit VPC uses customer-managed Amazon Elastic Compute Cloud (Amazon EC2) VPN instances in a dedicated transit VPC with an Internet gateway. This design requires the customer to deploy, configure, and manage EC2-based VPN appliances, which will result in additional EC2, and potentially third-party product and licensing charges. Note that this design will generate additional data transfer charges for traffic traversing the transit VPC: data is charged when it is sent from a spoke VPC to the transit VPC, and again from the transit VPC to the on-premises network or a different AWS Region. Transit VPC is not the right choice here.
Use Fully meshed VPC Peers – This approach creates multiple peering connections to facilitate the sharing of information between resources in different VPCs. This design connects multiple VPCs in a fully meshed configuration, with peering connections between each pair of VPCs. With this configuration, each VPC has access to the resources in all other VPCs. Each peering connection requires modifications to all the other VPCs’ route tables and, as the number of VPCs grows, this can be difficult to maintain. And keep in mind that AWS recommends a maximum of 125 peering connections per VPC. It’s complex to manage and isn’t a right fit for the current scenario.
Use VPCs connected with AWS Direct Connect – This approach is a good alternative for customers who need to connect a high number of VPCs to a central VPC or on-premises resources, or who already have an AWS Direct Connect connection in place. This design also offers customers the ability to incorporate transitive routing into their network design. For example, if VPC A and VPC B are both connected to an on-premises network using AWS Direct Connect connections, then the two VPCs can be connected to each other via AWS Direct Connect. Direct Connect requires physical cables and takes about a month for setting up, this is not an ideal solution for the given scenario.

Question 11:
An engineering lead is designing a VPC with public and private subnets. The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zones (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets. The private subnets require access to the internet to allow EC2 instances to download software updates.
Which of the following options represents the correct solution to set up internet access for the private subnets?
A• Set up three Internet gateways, one in each private subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the Internet gateway in its AZ
B• Set up three NAT gateways, one in each public subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the NAT gateway in its AZ
C• Set up three NAT gateways, one in each private subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the NAT gateway in its AZ
D• Set up three egress-only internet gateways, one in each public subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the egress-only internet gateway in its AZ
Answer: B
Explanation
Correct option:
Set up three NAT gateways, one in each public subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the NAT gateway in its AZ
You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. The Elastic IP address cannot be changed after you associate it with the NAT Gateway. After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet.
Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone.
If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.
Incorrect options:
Set up three NAT gateways, one in each private subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the NAT gateway in its AZ – NAT gateways need to be set up in public subnets, so this option is.
Set up three Internet gateways, one in each private subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the Internet gateway in its AZ – Internet gateways cannot be provisioned in private subnets of a VPC.
Set up three Egress-only Internet gateways, one in each public subnet in each AZ. Create a custom route table for each AZ that forwards non-local traffic to the Egress-only Internet Gateway in its AZ – An Egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances. The given use-case is for IPv4 traffic, hence an Egress-only Internet gateway is not an option.

Question 12:
A retail company uses AWS Cloud to manage its IT infrastructure. The company has set up “AWS Organizations” to manage several departments running their AWS accounts and using resources such as EC2 instances and RDS databases. The company wants to provide shared and centrally-managed VPCs to all departments using applications that need a high degree of interconnectivity.
As a solutions architect, which of the following options would you choose to facilitate this use-case?
• Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
• Use VPC peering to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
• Use VPC peering to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations
• Use VPC sharing to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations
Answer: A
Explanation
Correct option:
Use VPC sharing to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations
VPC sharing (part of Resource Access Manager) allows multiple AWS accounts to create their application resources such as EC2 instances, RDS databases, Redshift clusters, and Lambda functions, into shared and centrally-managed Amazon Virtual Private Clouds (VPCs). To set this up, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations. After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.
You can share Amazon VPCs to leverage the implicit routing within a VPC for applications that require a high degree of interconnectivity and are within the same trust boundaries. This reduces the number of VPCs that you create and manage while using separate accounts for billing and access control.
Incorrect options:
Use VPC sharing to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations – Using VPC sharing, an account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations. The owner account cannot share the VPC itself. Therefore this option is.
Use VPC peering to share one or more subnets with other AWS accounts belonging to the same parent organization from AWS Organizations – A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. VPC peering does not facilitate centrally managed VPCs. Therefore this option is.
Use VPC peering to share a VPC with other AWS accounts belonging to the same parent organization from AWS Organizations – A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. VPC peering does not facilitate centrally managed VPCs. Moreover, an AWS owner account cannot share the VPC itself with another AWS account. Therefore this option is.

Question 13:
The engineering team at a company wants to use Amazon SQS to decouple components of the underlying application architecture. However, the team is concerned about the VPC-bound components accessing SQS over the public internet.
As a solutions architect, which of the following solutions would you recommend to address this use-case?
• Use VPN connection to access Amazon SQS
• Use Network Address Translation (NAT) instance to access Amazon SQS
• Use VPC endpoint to access Amazon SQS
• Use Internet Gateway to access Amazon SQS
Answer: C
Explanation
Correct option:
Use VPC endpoint to access Amazon SQS
AWS customers can access Amazon Simple Queue Service (Amazon SQS) from their Amazon Virtual Private Cloud (Amazon VPC) using VPC endpoints, without using public IPs, and without needing to traverse the public internet. VPC endpoints for Amazon SQS are powered by AWS PrivateLink, a highly available, scalable technology that enables you to privately connect your VPC to supported AWS services.
Amazon VPC endpoints are easy to configure. They also provide reliable connectivity to Amazon SQS without requiring an internet gateway, Network Address Translation (NAT) instance, VPN connection, or AWS Direct Connect connection. With VPC endpoints, the data between your Amazon VPC and Amazon SQS queue is transferred within the Amazon network, helping protect your instances from internet traffic.
AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.
Incorrect options:
Use Internet Gateway to access Amazon SQS – An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It, therefore, imposes no availability risks or bandwidth constraints on your network traffic. This option is ruled out as the team does not want to use the public internet to access Amazon SQS.
Use VPN connection to access Amazon SQS – AWS Site-to-Site VPN (aka VPN Connection) enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can securely extend your data center or branch office network to the cloud with an AWS Site-to-Site VPN connection. A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet. VPN Connections can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity. As the existing infrastructure is within AWS Cloud, therefore a VPN connection is not required.
Use Network Address Translation (NAT) instance to access Amazon SQS – You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet. Amazon provides Amazon Linux AMIs that are configured to run as NAT instances. These AMIs include the string amzn-ami-vpc-nat in their names, so you can search for them in the Amazon EC2 console. This option is ruled out because NAT instances are used to provide internet access to any instances in a private subnet.

Question 14:
An e-commerce company is planning to migrate their two-tier application from on-premises infrastructure to AWS Cloud. As the engineering team at the company is new to the AWS Cloud, they are planning to use the Amazon VPC console wizard to set up the networking configuration for the two-tier application having public web servers and private database servers.
Can you spot the configuration that is NOT supported by the Amazon VPC console wizard?
• VPC with a public subnet only and AWS Site-to-Site VPN access
• VPC with public and private subnets and AWS Site-to-Site VPN access
• VPC with a single public subnet
• VPC with public and private subnets (NAT)
Answer: A
Explanation
Correct option:
VPC with a public subnet only and AWS Site-to-Site VPN access
The Amazon VPC console wizard provides the following four configurations:
1. VPC with a single public subnet – The configuration for this scenario includes a virtual private cloud (VPC) with a single public subnet, and an internet gateway to enable communication over the internet. We recommend this configuration if you need to run a single-tier, public-facing web application, such as a blog or a simple website.
1. VPC with public and private subnets (NAT) – The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want to run a public-facing web application while maintaining back-end servers that aren’t publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers.
1. VPC with public and private subnets and AWS Site-to-Site VPN access – The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet, and a virtual private gateway to enable communication with your network over an IPsec VPN tunnel. We recommend this scenario if you want to extend your network into the cloud and also directly access the Internet from your VPC. This scenario enables you to run a multi-tiered application with a scalable web front end in a public subnet and to house your data in a private subnet that is connected to your network by an IPsec AWS Site-to-Site VPN connection.
1. VPC with a private subnet only and AWS Site-to-Site VPN access – The configuration for this scenario includes a virtual private cloud (VPC) with a single private subnet, and a virtual private gateway to enable communication with your network over an IPsec VPN tunnel. There is no Internet gateway to enable communication over the Internet. We recommend this scenario if you want to extend your network into the cloud using Amazon’s infrastructure without exposing your network to the Internet.
Therefore, the option “VPC with a public subnet only and AWS Site-to-Site VPN access” is NOT supported by the Amazon VPC console wizard.
Incorrect options:
VPC with a single public subnet
VPC with public and private subnets (NAT)
VPC with public and private subnets and AWS Site-to-Site VPN access
These three options are valid configurations supported by the Amazon VPC console wizard.