Q32 — AWS SAP-C02 Ch.2

Question 32 of 75 | ← Chapter 2

Q182. A company has multiple business units that each have separate accounts on AWS. Each business unit manages its own network with several VPCs that have CIDR ranges that overlap. The company's marketing team has created a new internal application and wants to make the application accessible to all the other business units. The solution must use private IP addresses only. Which solution will meet these requirements with the LEAST operational overhead?

Correct Answer: C. Create an AWS PrivateLink endpoint service to share the marketing application. Grant permission to specific AWS accounts to connect to the service. Create interface VPC endpoints in other accounts to access the application by using private IP addresses

Explanation

C is the solution that will meet the requirements with the LEAST operational overhead. Option A involves instructing each business unit to add a unique secondary CIDR range to their VPCs and peer the VPCs. This can be complex as it requires coordination between multiple business units and may involve changing existing network configurations, which could lead to increased operational overhead. Option B involves creating an EC2 instance to serve as a virtual appliance and using Site-to-Site VPN connections between the marketing team and each business unit's VPCs. This option adds complexity due to the need to configure and maintain VPN connections for each business unit, which could increase operational overhead. Option C involves creating a PrivateLink endpoint service to share the marketing application and granting permission to specific AWS accounts to connect to the service. Additionally, interface VPC endpoints can be created in other accounts to access the application using private IP addresses. This option minimizes operational overhead since it does not require significant changes to existing VPC configurations and enables secure access to the application using private IP addresses. Option D involves creating a Network Load Balancer (NLB) in front of the marketing application and using API Gateway private integration to connect the API to the NLB. While this option provides a scalable and highly available solution, it involves additional infrastructure components that could increase operational overhead. Overall, Option C provides a cost-effective and scalable solution for sharing the marketing application across multiple business units' VPCs while minimizing operational overhead. With AWS PrivateLink, the marketing team can create an endpoint service to share their internal application with other accounts securely using private IP addresses. They can grant permission to specific AWS accounts to connect to the service and create interface VPC endpoints in the other accounts to access the application by using private IP addresses. This option does not require any changes to the network of the other business units, and it does not require peering or NATing. This solution is both scalable and secure.