Q59 — AWS SAA-C03 第3章

第 59/65 题 | ← 返回第3章

Q189.一家公司在 AWS 上运行工作负载.公司需要连接到来自外部提供商的服务.该服务托管在提供商的 VPC 中.据该公司的安全团队称,连接必须是私有的,并且必须仅限于目标服务.连接只能从公司的 VPC 发起.哪种解决方案可以满足这些要求?

正确答案: D. 要求提供商为目标服务创建一个 VPC 端点.使用 AWS PrivateLink 连接到目标服务.

解析

To connect to a service from an external provider that is hosted in the provider's VPC, with private connectivity restricted to the target service and initiated only from the company's VPC, a company should ask the provider to create a VPC endpoint for the target service and use AWS PrivateLink to connect to the target service. Therefore, option D is the correct answer.Option A suggests creating a VPC peering connection between the company's VPC and the provider's VPC. While this approach can provide private connectivity between two VPCs, it may not restrict access to the target service and does not meet the requirement of initiating the connection only from the company's VPC.Option B suggests asking the provider to create a virtual private gateway in its VPC and using AWS Privatelink to connect to the target service. While this approach can provide secure connectivity, it requires more configuration management compared to using AWS PrivateLink to connect directly to the target service.Option C suggests creating a NAT gateway in a public subnet of the company's VPC. While this approach can provide private connectivity, it may not restrict access to the target service and does not meet the requirement of initiating the connection only from the company's VPC.By asking the provider to create a VPC endpoint for the target service, the service can be accessed through AWS PrivateLink without exposing it to the Internet. AWS PrivateLink provides private connectivity over the Amazon network, bypasses the public Internet, and ensures that traffic stays within the AWS network. This solution meets the requirement of restricting access to the target service and initiating the connection only from the company's VPC, without requiring any additional infrastructure management on the company's side.要连接到托管在提供商VPC中的外部提供商的服务,私有连接仅限于目标服务,并且只能从公司的VPC发起,公司应该要求提供商为目标服务创建VPC端点,并使用AWS PrivateLink连接到目标服务。因此,选项D是正确答案。选项A建议在公司VPC和提供商VPC之间创建VPC对等连接。虽然这种方法可以在两个VPC之间提供私有连接,但它可能不会限制对目标服务的访问,并且不满足仅从公司的VPC发起连接的要求。选项B建议要求提供商在其VPC中创建一个虚拟专用网关,并使用AWS Privatelink连接到目标服务。虽然这种方法可以提供安全的连接,但与使用AWS PrivateLink直接连接到目标服务相比,它需要更多的配置管理。选项C建议在公司VPC的公网子网中创建NAT网关。虽然这种方法可以提供私有连接,但它可能不会限制对目标服务的访问,并且不满足仅从公司的VPC发起连接的要求。通过要求提供商为目标服务创建VPC端点,可以通过AWS PrivateLink访问该服务,而无需将其暴露在Internet上。AWS PrivateLink通过亚马逊网络提供私有连接,绕过公共互联网,并确保流量留在AWS网络内。此解决方案满足限制对目标服务的访问和仅从公司的VPC发起连接的需求,而不需要在公司方面进行任何额外的基础设施管理。