AWS Certified Solutions Architect – Associate (SAA-C02) — Question 508

A company has an AWS account used for software engineering. The AWS account has access to the company's on-premises data center through a pair of AWS
Direct Connect connections. All non-VPC traffic routes to the virtual private gateway.
A development team recently created an AWS Lambda function through the console. The development team needs to allow the function to access a database that runs in a private subnet in the company's data center.
Which solution will meet these requirements?

Answer options

• A. Configure the Lambda function to run in the VPC with the appropriate security group.
• B. Set up a VPN connection from AWS to the data center. Route the traffic from the Lambda function through the VPN.
• C. Update the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect.
• D. Create an Elastic IP address. Configure the Lambda function to send traffic through the Elastic IP address without an elastic network interface.

Correct answer: C

Explanation

To allow the Lambda function (running within the VPC) to access the on-premises database, the VPC's route tables must be updated to route traffic destined for the on-premises network range through the virtual private gateway connected to AWS Direct Connect. Establishing a new VPN is redundant since Direct Connect is already in place, and Lambda cannot route traffic directly through an Elastic IP without an ENI. Properly configuring the VPC route tables ensures that the network path to the on-premises private subnet is established and active.