AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is to create VPC Gateway Endpoints in each Application VPC. Gateway Endpoints are the ideal solution for connecting to Amazon S3 and DynamoDB privately from within a VPC. They provide several key benefits that directly address the requirements. First, they do not consume any IP addresses from your VPC's CIDR block, which is a critical advantage given the concern about IP address exhaustion. Second, they ensure traffic does not traverse the public internet by creating a private route between the VPC and the AWS services. Finally, you can attach an endpoint policy to a Gateway Endpoint to enforce fine-grained access control, restricting access to only the specified S3 buckets and DynamoDB tables, which satisfies the security mandate.

Incorrect options explained:

• Creating Interface Endpoints in each Application VPC is incorrect because Interface Endpoints, which use Elastic Network Interfaces (ENIs), consume private IP addresses from the subnets they are placed in. This would worsen the IP address exhaustion problem, making this solution less resource-efficient than using Gateway Endpoints.
• Centralizing Interface Endpoints in a Shared Services VPC is incorrect for two main reasons. While Interface Endpoints can be accessed over a Transit Gateway, Gateway Endpoints cannot; this architecture forces the use of the more expensive and IP-consuming Interface Endpoints. This design also introduces unnecessary complexity and potential data transfer costs associated with routing traffic through the Transit Gateway and the central VPC.
• Using a NAT Gateway is incorrect because it is designed to allow instances in private subnets to connect to the internet. Traffic routed through a NAT Gateway to access AWS services would traverse the public internet to reach the public service endpoints, which explicitly violates the security requirement that traffic must remain within the AWS network.