AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 15

A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway.
In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway.
Which combination of steps should the network engineer take to meet these requirements? (Choose three.)

Answer options

• A. Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute to true.
• B. Create a new security group with an entry to allow outbound traffic that uses the TCP protocol on port 443 to destination 0.0.0.0/0
• C. Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets.
• D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring. Associate the new security group with the endpoint network interfaces.
• E. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west-2.cloudwatch. Associate the new security group with the endpoint network interfaces.
• F. Associate the VPC endpoint or endpoints with route tables that the private subnets use.

Correct answer: A, C, D

Explanation

The correct answer includes validating private DNS settings to ensure proper name resolution (A), allowing inbound traffic for CloudWatch agent communication (C), and establishing necessary VPC endpoints for CloudWatch logs and monitoring (D). Options B and E are incorrect as they do not directly address the requirements for maintaining CloudWatch agent functionality after the NAT gateway removal.