Q70 — AWS ANS-C01 Ch.1
Question 70 of 100 | ← Chapter 1
A global delivery company is modernizing its §eet management system. The company has several business units. Each business unit designs and Maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's Applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as More business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner?
- A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by Using the transit gateway.
- B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
- C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC. ✓
- D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.
Correct Answer: C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.
Explanation
C选项通过AWSPrivateLink创建中心共享服务VPC中的VPC端点服务,并在每个应用VPC中创建VPC端点,实现了安全且可扩展的网络连接架构。这种方法允许业务单元的应用VPC安全地访问中心共享服务VPC中的资源,而无需暴露给公共互联网或需要复杂的网络路由配置。它满足了粒度安全控制的需求,并且随着未来更多业务单元从中心共享服务VPC消费数据,可以轻松地扩展。其他选项要么提供了过于复杂的网络路由(A、D),要么在安全性或扩展性上有所欠缺(B)。 查看全部