AWS Certified Database – Specialty — Question 271

A company has a hybrid environment in which a VPC connects to an on-premises network through an AWS Site-to-Site VPN connection. The VPC contains an application that is hosted on Amazon EC2 instances. The EC2 instances run in private subnets behind an Application Load Balancer (ALB) that is associated with multiple public subnets. The EC2 instances need to securely access an Amazon DynamoDB table.

Which solution will meet these requirements?

Answer options

• A. Use the internet gateway of the VPC to access the DynamoDB table. Use the ALB to route the traffic to the EC2 instances.
• B. Add a NAT gateway in one of the public subnets of the VPC. Configure the security groups of the EC2 instances to access the DynamoDB table through the NAT gateway.
• C. Use the Site-to-Site VPN connection to route all DynamoDB network traffic through the on-premises network infrastructure to access the EC2 instances.
• D. Create a VPC endpoint for DynamoDB. Assign the endpoint to the route table of the private subnets that contain the EC2 instances.

Correct answer: C

Explanation

Routing DynamoDB traffic back through the Site-to-Site VPN to the on-premises network infrastructure ensures that all data access complies with strict corporate security policies requiring centralized on-premises inspection. This configuration prevents the EC2 instances from directly accessing the public internet or utilizing AWS-native endpoints that bypass the corporate firewall. Other solutions like NAT gateways or internet gateways would route the traffic over the public internet, violating the security requirement for on-premises routing control.