Logo
AWS Certified Solutions Architect - Associate / Question #1487 of 1019

Question #1487

A company is building a microservices-based order processing system that must expose RESTful APIs to users through a frontend. The backend services are containerized and deployed in private subnets within a VPC. The solution must ensure that the REST APIs can securely communicate with the backend services. Which approach satisfies these requirements?

A

Implement a WebSocket API using Amazon API Gateway. Deploy the backend services on Amazon Elastic Container Service (Amazon ECS) in a private subnet. Establish a private VPC link to connect API Gateway to Amazon ECS.
B

Implement a REST API using Amazon API Gateway. Deploy the backend services on Amazon Elastic Container Service (Amazon ECS) in a private subnet. Establish a private VPC link to connect API Gateway to Amazon ECS.
C

Implement a WebSocket API using Amazon API Gateway. Deploy the backend services on Amazon Elastic Container Service (Amazon ECS) in a private subnet. Configure security groups to allow API Gateway to access Amazon ECS.
D

Implement a REST API using Amazon API Gateway. Deploy the backend services on Amazon Elastic Container Service (Amazon ECS) in a private subnet. Configure security groups to allow API Gateway to access Amazon ECS.

Explanation

Answer B is correct because:
1. REST API Requirement: The question specifies RESTful APIs, so using Amazon API Gateway with a REST API (not WebSocket) is required. This eliminates options A and C.
2. Secure Communication: Backend services in private subnets cannot be directly exposed to the internet. A VPC link (AWS PrivateLink) enables private connectivity between API Gateway and ECS without public exposure. Security groups alone (as in option D) cannot route traffic to private subnets.
3. VPC Link: Option B correctly uses a VPC link, ensuring secure, private communication between API Gateway and ECS.

Key Points:
- Use REST API Gateway for RESTful endpoints.
- VPC links are required for private subnet integration with API Gateway.
- Security groups control traffic but cannot bypass the need for VPC connectivity.

Answer

The correct answer is: B