AWS Certified Solutions Architect – Associate (SAA-C03) — Question 480

A company is running a microservices application on Amazon EC2 instances. The company wants to migrate the application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for scalability. The company must configure the Amazon EKS control plane with endpoint private access set to true and endpoint public access set to false to maintain security compliance. The company must also put the data plane in private subnets. However, the company has received error notifications because the node cannot join the cluster.

Which solution will allow the node to join the cluster?

Answer options

• A. Grant the required permission in AWS Identity and Access Management (IAM) to the AmazonEKSNodeRole IAM role.
• B. Create interface VPC endpoints to allow nodes to access the control plane.
• C. Recreate nodes in the public subnet. Restrict security groups for EC2 nodes.
• D. Allow outbound traffic in the security group of the nodes.

Correct answer: B

Explanation

With Amazon EKS private endpoint access enabled and public access disabled, worker nodes in private subnets cannot reach the EKS control plane over the public internet. To establish a secure connection, interface VPC endpoints must be created within the VPC for Amazon EKS. This allows the nodes to privately resolve and communicate with the cluster's API server, resolving the registration failure.