AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 376

A company has an application running on Amazon EC2 instances in a VPC. The application must publish custom metrics to Amazon CloudWatch in the same
AWS Region. The metrics include proprietary information. All connectivity must be over private IP addresses.
Which solution will meet these requirements?

Answer options

• A. Connect to CloudWatch through a NAT gateway.
• B. Connect to CloudWatch through a gateway endpoint.
• C. Connect to CloudWatch through an internet gateway.
• D. Connect to CloudWatch through an interface endpoint.

Correct answer: D

Explanation

To securely transmit custom metrics to Amazon CloudWatch using only private IP addresses, you must configure an interface VPC endpoint (AWS PrivateLink). Gateway endpoints are not supported for CloudWatch, as they are only available for Amazon S3 and DynamoDB. Using an internet gateway or a NAT gateway would route traffic using public IP addresses, failing the private connectivity requirement.