AWS Certified Solutions Architect Professional SAP-C02 Practice Question
A company runs more than 20 microservices on Amazon EKS. Each cluster resides in its own VPC and in a different AWS account. Developers need to invoke other microservices by DNS name, without having to know or manage VPC CIDR blocks. All service-to-service traffic must be encrypted in transit, and network administrators must be able to apply fine-grained IAM authorization so that only approved callers can reach specific microservices. The architecture team also wants to avoid running sidecar proxies or modifying the Amazon VPC CNI plug-in and to minimize the effort required to add new accounts and clusters.
Which solution meets all of these requirements with the LEAST operational overhead?
Create an Amazon VPC Lattice service network that is shared with all accounts. Associate each cluster's VPC to the service network and register every microservice as a VPC Lattice service target group.
Attach all VPCs to an AWS Transit Gateway, expose each microservice through a Network Load Balancer, and create private Route 53 records that point to the load-balancer DNS names. Control access with security groups.
For each microservice, create an interface endpoint service with AWS PrivateLink, share the endpoint with other accounts through AWS Resource Access Manager, and use Route 53 private DNS names for discovery.
Deploy the open-source Istio service mesh in every EKS cluster and configure a multi-primary mesh across clusters by using VPC peering for inter-cluster traffic.
Amazon VPC Lattice lets you create a service network that spans multiple accounts and VPCs. Each EKS microservice can be registered as a VPC Lattice service and discovered through an automatically created DNS name. TLS listeners provide encryption, and IAM auth policies give per-service, fine-grained access control. Because VPC Lattice is integrated into the AWS network fabric, it does not require sidecar proxies, custom CNI plug-ins, or load-balancer provisioning, so onboarding additional clusters is largely automatic.
Istio delivers similar features but requires operating a service mesh with sidecar injection and does not natively use IAM, so operational overhead is much higher. A Transit Gateway plus NLBs and private Route 53 records handles routing but lacks integrated service discovery and IAM-level authorization. AWS PrivateLink achieves encrypted connectivity but needs a separate endpoint service and DNS record for every microservice, making it complex and hard to scale. Therefore, configuring an Amazon VPC Lattice service network is the most efficient and fully compliant choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Amazon VPC Lattice, and how does it simplify service communication?
Open an interactive chat with Bash
How does VPC Lattice compare to using AWS PrivateLink for service communication?
Open an interactive chat with Bash
Why is Istio considered less desirable for this scenario compared to VPC Lattice?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design Solutions for Organizational Complexity
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access