Q15 — AWS ANS-C01 Ch.1

Question 15 of 100 | ← Chapter 1

A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT Gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer Must centralize access to these services and must eliminate the need to use public endpoints. Which solution will meet these requirements with the LEAST operational overhead?

Correct Answer: C. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS is turned off. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manager. Associate The private hosted zones with all the VPCs. Create an alias record in each private hosted zone with the full AWS service endpoint pointing to The interface VPC endpoint in the shared services VPC.

Explanation

这道题关注在AWS架构中集中访问Amazon S3和Systems Manager服务的方案,避免使用公共端点及NAT网关。正确选项基于集中式VPC端点架构设计原则,结合AWS服务特性。AWS官方文档建议使用接口VPC端点配合PrivateLink实现跨VPC访问,同时通过Route 53私有托管区统一DNS解析。选项C的关键在于:创建共享服务VPC并部署接口端点,禁用端点私有DNS以避免自动解析到单个VPC的本地地址;通过Transit Gateway连接所有VPC,利用私有托管区定义别名记录覆盖默认服务域名,确保所有VPC的请求定向到共享端点。其他选项存在DNS解析不集中(D)、操作复杂(B)或未完全消除公共路径(A)的问题。