Question #621
A developer is migrating features from a legacy monolithic application to AWS Lambda functions. The application uses an Amazon ElastiCache Redis cluster deployed in private subnets of a VPC. The Lambda functions and the ElastiCache cluster are in the same AWS Region and account. The developer needs to ensure the Lambda functions can securely access the ElastiCache cluster without traversing the public internet.
Which solution will meet these requirements?
Configure the ElastiCache cluster to allow public access.
Set up an Amazon API Gateway between the Lambda functions and the ElastiCache cluster.
Configure a NAT gateway and a security group for the Lambda functions.
Configure the VPC, subnets, and a security group for the Lambda functions.
Explanation
Answer D is correct because Lambda functions must be attached to the same VPC and private subnets as the ElastiCache cluster to enable direct, secure communication within the AWS network. Configuring the VPC, subnets, and security group ensures traffic stays internal and adheres to security rules.
Why other options are incorrect:
- A: Enabling public access on ElastiCache exposes it to the internet, violating security requirements.
- B: API Gateway is designed for HTTP APIs, not Redis protocols, and introduces unnecessary public exposure.
- C: NAT gateways are used for outbound internet access from private subnets, which is irrelevant for internal VPC communication.
Key Points:
1. Lambda must be VPC-configured to access private subnets.
2. Security groups must allow Lambda's ENI to connect to the Redis port.
3. Avoid public exposure or unnecessary components for secure VPC-internal access.
Answer
The correct answer is: D