AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is to deploy the AWS DataSync agent on-premises and use an interface VPC endpoint for DataSync in the VPC. AWS DataSync supports AWS PrivateLink, which allows you to create a private endpoint for the DataSync service within your VPC. When the on-premises agent is configured to use this interface VPC endpoint, all communication, including agent activation and data transfer, is routed securely over the AWS Direct Connect connection to the endpoint's elastic network interface (ENI) in the VPC. This ensures that no migration traffic ever traverses the public internet, satisfying the strict security requirement.

• Deploying the DataSync agent on an EC2 instance in the VPC and mounting the on-premises NFS share is an anti-pattern. The agent is designed to be deployed close to the source data to optimize performance and reduce complexity. Pulling the data across the Direct Connect connection before it even reaches the agent is inefficient.
• Using a public service endpoint, even with restrictive security group rules, would still route traffic over the public internet, which explicitly violates the core security requirement of the company. Security groups act as a firewall but do not change the network path of the traffic.
• Using AWS Transfer Family is not the optimal solution for a large-scale file system migration. While Transfer Family is excellent for file-based workflows over SFTP, FTPS, and FTP, AWS DataSync is purpose-built for accelerating large-scale online data transfers between on-premises storage and AWS services like Amazon FSx.