Q72 — AWS SAP-C02 Ch.2

Question 72 of 75 | ← Chapter 2

Q222. A company has migrated a legacy application to the AWS Cloud. The application runs on three Amazon EC2 instances that are spread across three Availability Zones. One EC2instance is in each Availability Zone. The EC2 instances are running in three private subnets of the VPC and are set up as targets for an Application Load Balancer (ALB) that is associated with three public subnets. The application needs to communicate with on-premises systems. Only traffic from IP addresses in the company's IP address range are allowed to access the on-premises systems. The company's security team is bringing only one IP address from its internal IP address range to the cloud. The company has added this IP address to the allow list for the company firewall. The company also has created an Elastic IP address for this IP address. A solutions architect needs to create a solution that gives the application the ability to communicate with the on-premises systems. The solution also must be able to mitigate failures automatically. Which solution will meet these requirements?

Correct Answer: C. Deploy a single NAT gateway in a public subnet.Assign the Elastic IP address to the NAT gateway. Use Amazon CloudWatch with a custom metric to monitor the NAT gateway. If the NAT gateway is unhealthy, invoke an AWS Lambda function to create a new NAT gateway in a different subnet. Assign the Elastic IP address to the new NAT gateway.

Explanation

Option A suggests deploying three NAT gateways, one in each public subnet, assigning the Elastic IP address to the NAT gateways, and turning on health checks for the NAT gateways. If a NAT gateway fails a health check, recreating the NAT gateway and assigning the Elastic IP address to the new NAT gateway. Although this approach provides high availability, it may not be cost-effective, especially since the company has only brought one IP address from its internal IP address range to the cloud. Option B suggests replacing the ALB with a Network Load Balancer (NLB) and assigning the Elastic IP address to the NLB. Turning on health checks for the NLB and redeploying the NLB in different subnets in the case of a failed health check. However, this option does not provide NAT functionality required to connect to on-premises systems. Option D suggests assigning the Elastic IP address to the ALB, creating an Amazon Route 53 simple record with the Elastic IP address as the value, and creating a Route 53 health check. In the case of a failed health check, recreating the ALB in different subnets. However, this approach does not provide NAT functionality required to connect to on-premises systems. Therefore, option C provides the most suitable solution by deploying a single NAT gateway in a public subnet, assigning the Elastic IP address to the NAT gateway, using Amazon CloudWatch with a custom metric to monitor the NAT gateway. If the NAT gateway is unhealthy, invoking an AWS Lambda function to create a new NAT gateway in a different subnet, and assigning the Elastic IP address to the new NAT gateway. This approach provides high availability, cost-effectiveness, and NAT functionality required to connect to on-premises systems while allowing only traffic from IP addresses in the company's IP address range to access the on-premises systems.