AWS Certified Solutions Architect Associate SAA-C03 Practice Question
A company wants its EC2 instances in a private subnet to access Amazon S3 while ensuring that this traffic does not go through an internet gateway. As a Solutions Architect, what is the BEST solution to meet this requirement?
Establish a VPN connection between the private subnet and Amazon S3.
Set up a NAT gateway in a public subnet and configure the private subnet's route table accordingly.
Associate an internet gateway with the VPC to enable internet access.
Create a VPC gateway endpoint for Amazon S3 and update the route table of the private subnet.
Creating a gateway VPC endpoint for Amazon S3 lets instances in the private subnet reach S3 entirely over the AWS private network without using an internet gateway, NAT device, VPN, or AWS Direct Connect. A NAT gateway would allow the traffic but would still route it through the VPC's internet gateway and incur NAT data-processing charges, so it does not satisfy the requirement to avoid an internet gateway. Amazon S3 cannot be the target of a site-to-site VPN connection, and simply adding an internet gateway would expose the subnet to the public internet rather than eliminating it.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a VPC Gateway Endpoint?
Open an interactive chat with Bash
Why is a NAT Gateway not suitable for this scenario?
Open an interactive chat with Bash
How does updating the route table enable access to Amazon S3 via a VPC Gateway Endpoint?