AWS Certified SAP on AWS – Specialty (PAS-C01) — Question 107

A company's SAP solutions architect is configuring a network architecture for an SAP HANA multi-node environment. The company requires isolation of the logical network zones: client, internal, and storage. The database runs on X1 (memory optimized) Amazon EC2 instances and uses Amazon Elastic Block Store (Amazon EBS) volumes for persistent storage.

Which combination of actions will provide the required isolation? (Choose three.)

Answer options

• A. Attach an AWS Network Firewall policy for each zone to the subnet for the node cluster.
• B. Attach a secondary elastic network interface to each instance for the internal communications between nodes.
• C. Attach a secondary elastic network interface to each instance for the storage communications.
• D. Configure a security group with rules that allow only TCP connections within the security group on the ports that are assigned for the internal network connections. Associate the security group with the appropriate elastic network interface on each instance.
• E. Configure a security group with rules that allow only TCP connections with the external customer network on the ports that are assigned for the client connections. Associate the security group with the appropriate elastic network interface.
• F. Configure a security group with rules that allow Non-Volatile Memory Express (NVMe) connections within the subnet range. Associate the security group with the appropriate elastic network interface on each instance.

Correct answer: B, C, D

Explanation

The correct actions are B, C, and D because adding secondary elastic network interfaces for internal and storage communications ensures that these zones are isolated from one another. Configuring a security group for internal network connections (D) adds an additional layer of security by controlling the traffic allowed between the nodes. Options A, E, and F do not provide the required isolation across the specified logical network zones.