Q13 — AWS ANS-C01 Ch.1
Question 13 of 100 | ← Chapter 1
A company is building its website on AWS in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. The website Has static content such as images. The company is using Amazon S3 to store the content. The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scaling group Behind an Application Load Balancer. The EC2 instances will serve traffic, and they must pull content from an S3 bucket to render the webpages. The company is using AWS Direct Connect with a public VIF for on-premises connectivity to the S3 bucket.A network engineer notices that traffic between the EC2 instances and Amazon S3 is routing through a NAT gateway. As traffic increases, the Company's costs are increasing. The network engineer needs to change the connectivity to reduce the NAT gateway costs that result from the Traffic between the EC2 instances and Amazon S3. Which solution will meet these requirements?
- A. Create a Direct Connect private VIF. Migrate the traffic from the public VIF to the private VIF.
- B. Create an AWS Site-to-Site VPN tunnel over the existing public VIF.
- C. Implement interface VPC endpoints for Amazon S3. Update the VPC route table.
- D. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table. ✓
Correct Answer: D. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table.
Explanation
该题核心在于通过VPC端点优化AWS私有子网访问S3的流量路径。根据AWS架构设计原则,私有子网内EC2访问S3若通过NAT网关会产生额外费用,而创建网关型VPC端点可直接建立S3的私有连接通道,无需经过公网或NAT设备。网关端点通过在VPC路由表中添加指向S3服务的目标路由条目,将流量重定向至AWS内部网络,既保证数据安全传输,又完全消除NAT网关流量成本。选项D正现了这一机制,其余方案或涉及公网传输(A/B)或采用成本更高的接口端点(C)。