Q41 — AWS DOP-C02 Ch.3
Question 41 of 100 | ← Chapter 3
A company has 20 service teams. Each service team owns its microservice and uses a separate AWS account with a VPC using the 192.168.0.0/22 CIDR block. The company manages AWS accounts using AWS Organizations. Each service team hosts its microservice on multiple Amazon EC2 instances behind an Application Load Balancer. Microservices communicate over the public internet. The company’s security team issued a new directive requiring all inter-microservice communication to occur over private network connections using HTTPS, without traversing the public internet. A DevOps engineer must implement a solution to comply with these requirements while minimizing changes required for each service team. Which solution meets these requirements?
- A. Create a new AWS account in AWS Organizations. In this account, create a VPC and share its private subnets with the organization using AWS Resource Access Manager. Instruct service teams to launch new Network Load Balancers (NLBs) and EC2 instances using the shared private subnets. Use NLB DNS names for inter-microservice communication.
- B. Create a Network Load Balancer (NLB) in each microservice VPC. Use AWS PrivateLink to create VPC endpoints for the NLB in each AWS account. Create subscriptions to each VPC endpoint in every other AWS account. Use VPC endpoint DNS names for inter-microservice communication. ✓
- C. Create a Network Load Balancer (NLB) in each microservice VPC. Create VPC peering connections between each microservice VPC. Update routing tables in each VPC to use the peering connections. Use NLB DNS names for inter-microservice communication.
- D. Create a new AWS account in AWS Organizations. In this account, create a Transit Gateway and share it with the organization using AWS Resource Access Manager. In each microservice VPC, create a Transit Gateway attachment to the shared Transit Gateway. Update routing tables in each VPC to route via the Transit Gateway. Create an NLB in each microservice VPC. Use NLB DNS names for inter-microservice communication.
Correct Answer: B. Create a Network Load Balancer (NLB) in each microservice VPC. Use AWS PrivateLink to create VPC endpoints for the NLB in each AWS account. Create subscriptions to each VPC endpoint in every other AWS account. Use VPC endpoint DNS names for inter-microservice communication.
Explanation
Per the scenario, microservices must communicate privately using HTTPS without traversing the public internet. A solution must provide private connectivity across VPCs in different AWS accounts. Option A proposes sharing a VPC’s private subnets, but requires service teams to launch new NLBs and EC2 instances in shared subnets—introducing significant change. Option B leverages AWS PrivateLink: each account creates an NLB and exposes it via a VPC endpoint; other accounts subscribe to those endpoints. This ensures private, HTTPS-based inter-microservice communication without public internet exposure and minimizes per-team changes. Option C uses VPC peering, but requires pairwise peering connections across 20 accounts—high operational complexity. Option D introduces a shared Transit Gateway, adding management overhead and complexity. Thus, Option B best fulfills the requirements with minimal per-team changes.