AWS Certified Solutions Architect Professional SAP-C02 Practice Question
An e-commerce company runs its order-processing microservice on Amazon ECS tasks that use AWS Fargate. The tasks are deployed in private subnets of a VPC that has no internet gateway or NAT gateway. The application must (1) publish custom events to Amazon EventBridge and (2) read and write order metadata in an Amazon DynamoDB table. All traffic to AWS services must stay on the AWS network, and the architecture team wants to minimize any additional data-processing charges for DynamoDB access while keeping operational overhead low. Which network design should a solutions architect implement to meet these requirements?
Provision a NAT gateway in a public subnet and point the private subnets' default route to the NAT gateway so the tasks can reach EventBridge and DynamoDB over the internet.
Peer the production VPC with a separate VPC that has internet connectivity, and route traffic through the peering connection to access EventBridge and DynamoDB.
Create interface VPC endpoints for both EventBridge and DynamoDB in the VPC, and attach restrictive endpoint policies.
Create a gateway VPC endpoint for DynamoDB and an interface VPC endpoint for EventBridge in the VPC. Update the route tables and security groups so that the ECS tasks use these endpoints.
Amazon EventBridge must be reached through an interface VPC endpoint, which keeps traffic on the AWS backbone without requiring internet or NAT gateways. DynamoDB supports both interface and gateway endpoints, but the gateway option carries no data-processing cost and is ideal when access is needed only from within the same VPC or Region. Therefore, creating a gateway endpoint for DynamoDB and an interface endpoint for EventBridge satisfies the private-traffic requirement and minimizes cost with very little ongoing management. Using interface endpoints for both services would work but would add avoidable charges for DynamoDB. A NAT gateway or VPC peering solution would send traffic over public infrastructure and introduce higher cost and operational complexity, so those options do not meet the stated requirements.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the difference between an interface VPC endpoint and a gateway VPC endpoint?
Open an interactive chat with Bash
Why does the solution use both a gateway VPC endpoint and an interface VPC endpoint?
Open an interactive chat with Bash
How do VPC endpoints help maintain secure traffic flow within the AWS network?
Open an interactive chat with Bash
AWS Certified Solutions Architect Professional SAP-C02
Design for New Solutions
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access