Q28 — AWS SAP-C02 Ch.3

Question 28 of 75 | ← Chapter 3

Q253. A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from hundreds of AWS accounts. AWS PrivateLink is being used to provide connectivity between the client services and the logging service.In each AWS account with a client, an interface endpoint has been created for the logging service and is available. The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The clients are unable to submit logs using the VPC endpoint.Which combination of steps should a solutions architect take to resolve this issue? (Select TWO.)

Correct Answer: A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets.Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service subnets running on EC2 instances., C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets.

Explanation

To resolve the issue where clients are unable to submit logs using the VPC endpoint, the solutions architect should take the following steps: A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets. Ensure that the network access control list (NACL) associated with the logging service subnet allows inbound and outbound traffic to and from the Network Load Balancer (NLB) subnets. This ensures that the NLB can communicate with the logging service running on EC2 instances. C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets. Verify that the security group associated with the EC2 instances running the logging service has rules that permit incoming traffic from the NLB subnets. This allows the logging service to receive logs from the NLB. The other options are not relevant to resolving the issue: B. Checking the NACL attachments to interface endpoint subnets and logging service subnets is not necessary to address the issue at hand. D. Checking the security group for the logging service to allow ingress from the clients is not needed because the architecture is based on using interface endpoints, and the client traffic should be routed through the VPC endpoint, not directly to the logging service's security group. E. Checking the security group for the NLB to ensure it allows ingress from the interface endpoint subnets is not required to resolve the issue. The NLB should already be able to receive traffic from the interface endpoints as long as the VPC endpoint and NLB configurations are properly set up.