AWS Certified Solutions Architect – Associate (SAA-C03) — Question 675

A company runs a real-time data ingestion solution on AWS. The solution consists of the most recent version of Amazon Managed Streaming for Apache Kafka (Amazon MSK). The solution is deployed in a VPC in private subnets across three Availability Zones.

A solutions architect needs to redesign the data ingestion solution to be publicly available over the internet. The data in transit must also be encrypted.

Which solution will meet these requirements with the MOST operational efficiency?

Answer options

• A. Configure public subnets in the existing VPC. Deploy an MSK cluster in the public subnets. Update the MSK cluster security settings to enable mutual TLS authentication.
• B. Create a new VPC that has public subnets. Deploy an MSK cluster in the public subnets. Update the MSK cluster security settings to enable mutual TLS authentication.
• C. Deploy an Application Load Balancer (ALB) that uses private subnets. Configure an ALB security group inbound rule to allow inbound traffic from the VPC CIDR block for HTTPS protocol.
• D. Deploy a Network Load Balancer (NLB) that uses private subnets. Configure an NLB listener for HTTPS communication over the internet.

Correct answer: A

Explanation

Amazon MSK allows public access to its brokers when they are deployed in public subnets, provided that a secure authentication method like mutual TLS (mTLS) is enabled. Doing this within the existing VPC is highly operationally efficient compared to creating a new VPC. Using load balancers in private subnets does not natively expose the MSK cluster to the public internet and adds unnecessary architectural complexity.