Question #1631
A company operates a database application on Amazon EC2 instances within a private subnet. The application requires access to a sensitive DynamoDB table. The connection to DynamoDB must not traverse the internet. Which solution meets these requirements?
Configure an internet gateway. Update the DynamoDB resource policy to allow access from the internet gateway. Update the application to use the internet gateway.
Configure a VPN connection. Update the DynamoDB resource policy to allow access from the VPN connection. Update the application to use the VPN connection.
Configure a NAT gateway. Update the DynamoDB resource policy to allow access from the NAT gateway. Update the application to use the NAT gateway.
Configure a VPC endpoint for DynamoDB. Update the DynamoDB resource policy to allow access from the VPC endpoint. Update the application to use the VPC endpoint.
Explanation
Option D is correct because a VPC endpoint for DynamoDB (Gateway type) enables private connectivity between the VPC and DynamoDB, ensuring traffic never traverses the internet. The DynamoDB resource policy must allow access via the VPC endpoint.
Other options are incorrect:
- A: Internet gateway exposes traffic to the internet.
- B: VPN connections are for on-premises-to-AWS connectivity, not intra-AWS, and still use the internet.
- C: NAT gateways allow outbound internet access but route DynamoDB traffic over the public internet.
Key Points:
1. VPC endpoints (Gateway type) provide private access to DynamoDB.
2. Resource policies must explicitly grant access to the VPC endpoint.
3. EC2 in private subnets cannot use internet/VPN-based solutions without violating the 'no internet' requirement.
Answer
The correct answer is: D