Q34 — AWS SAP-C02 Ch.1
Question 34 of 75 | ← Chapter 1
Q109. A company has developed APIs that use Amazon API Gateway with Regional endpoints. The APIs call AWS Lambda functions that use API Gateway authentication mechanisms. After a design review, a solutions architect identifies a set of APIs that do not require public access. The solutions architect must design a solution to make the set of APIs accessible only from a VPC. All APIs need to be called with an authenticated user.Which solution will meet these requirements with the LEAST amount of effort?
- A. Create an internal Application Load Balancer (ALB). Create a target group. Select the Lambda function to call. Use the ALB DNS name to call the API from the VPC
- B. Remove the DNS entry that is associated with the API in API Gateway. Create a hosted zone in Amazon Route 53. Create a CNAME record in the hosted zone. Update the API in API Gateway with the CNAME record. Use the CNAME record to call the API from the VPC
- C. Update the API endpoint from Regional to private in API Gateway. Create an interface VPC endpoint in the VPC. Create a resource policy, and attach it to the API. Use the VPC endpoint to call the API from the VPC ✓
- D. Deploy the Lambda functions inside the VPC. Provision an EC2 instance,and install an Apache server.From the Apache server, call the Lambda functions. Use the internal CNAME record of the EC2 instance to call the API from the VPC
Correct Answer: C. Update the API endpoint from Regional to private in API Gateway. Create an interface VPC endpoint in the VPC. Create a resource policy, and attach it to the API. Use the VPC endpoint to call the API from the VPC
Explanation
To make a set of APIs accessible only from a VPC while ensuring authentication, the solution architect should recommend: C. Update the API endpoint from Regional to private in API Gateway. Create an interface VPC endpoint in the VPC. Create a resource policy and attach it to the API. Use the VPC endpoint to call the API from the VPC. Explanation: C. Update the API endpoint from Regional to private in API Gateway: By updating the API endpoint to private, you restrict access to the API only from within the specified VPC. Create an interface VPC endpoint in the VPC: An interface VPC endpoint allows you to privately access API Gateway within your VPC without requiring internet gateways, NAT devices, VPN connections, or AWS Direct Connect connections. Create a resource policy and attach it to the API: A resource policy can be used to define fine-grained access controls for your API. By attaching a resource policy to the API, you can restrict access to the specified VPC. Use the VPC endpoint to call the API from the VPC: With the private API endpoint and the VPC endpoint in place, API calls to the API Gateway are securely routed through the VPC, ensuring that the APIs are only accessible from within the VPC. Option A is incorrect because it suggests creating an internal Application Load Balancer (ALB) and using the ALB DNS name to call the API from the VPC. This approach does not address the requirement of making the APIs accessible only from the VPC. Option B is incorrect because it suggests removing the DNS entry associated with the API in API Gateway and creating a CNAME record in a Route 53 hosted zone. This approach does not provide the necessary authentication mechanism and does not restrict access to the VPC. Option D is incorrect because it suggests deploying the Lambda functions inside the VPC and calling them from an EC2 instance using an internal CNAME record. This approach does not utilize the capabilities of API Gateway and adds unnecessary complexity. Therefore, the solution with the least amount of effort is C: Update the API endpoint to private, create an interface VPC endpoint, create a resource policy, and use the VPC endpoint to call the API from the VPC.