AWS Certified Solutions Architect – Professional — Question 808

A company has two VPCs: VPC A and VPC B. The company uses a solution in VPC A in the ca-central-1 Region to expose services that are deployed on Amazon
EC2 instances. The services read objects that are stored in an Amazon S3 bucket in ca-central-1. The S3 bucket must not be publicly accessible, and the EC2 instances must use a gateway VPC endpoint. A rule in the S3 bucket policy allows only traffic that comes from the VPC A endpoint.
The company recently created another application. The application is hosted on EC2 instances that are deployed in VPC B in the us-east-1 Region in the same
AWS account. The application needs to access objects that are stored in the S3 bucket in ca-central-1.
Which solution will meet these requirements?

Answer options

• A. Create a cross-Region VPC peering connection between the two VPCs. Add a route in the route table of VPC B to use the peering connection to access the S3 gateway VPC endpoint.
• B. Create a gateway VPC endpoint in VPC B in us-east-1. Add a route in the route table of VPC B to use the S3 gateway VPC endpoint to access Amazon S3. Update the S3 bucket policy to accept connection from this gateway VPC endpoint.
• C. Create a third VPC (VPC C) in ca-central-1. Create a cross-Region VPC peering connection between VPC C and VPC B in us-east-1. Use AWS PrivateLink with a Network Load Balancer (NLB) to expose the services in VPC A in ca-central-1. Use the interface VPC endpoint created with PrivateLink in VPC C to call the services.
• D. Create a virtual private gateway, and attach it to VPC A in ca-central-1. Create an IPsec VPN connection between the EC2 instances in us-east-1 and the virtual private gateway. Grant the EC2 instances in us-east-1 direct access to the S3 bucket by adding a route to use the VPN connection to access Amazon S3.

Correct answer: C

Explanation

Option C is correct because gateway VPC endpoints do not support transitive routing or cross-Region access over VPC peering, which rules out Options A and B. By leveraging AWS PrivateLink with a Network Load Balancer and establishing a cross-Region VPC peering connection between VPC C and VPC B, traffic can be securely routed across Regions to access the services. Option D is incorrect because an IPsec VPN connection cannot be used to route traffic directly to an S3 gateway VPC endpoint.