Question #1574
A company operates an application within a VPC that spans multiple Availability Zones, utilizing both public and private subnets. The application's EC2 instances are located in the private subnets and must interact with an Amazon SQS queue. A solutions architect must design a secure connection between these instances and the SQS queue without exposing traffic to the public internet.
Which solution meets these requirements?
Deploy an interface VPC endpoint for SQS in the private subnets. Attach a security group to the endpoint that permits inbound traffic from the EC2 instances' security group.
Create an interface VPC endpoint for SQS in the public subnets. Apply a VPC endpoint policy that grants access to the EC2 instances' private IP addresses.
Set up a gateway VPC endpoint for SQS and associate it with the private subnets. Configure the EC2 instances' security group to allow outbound traffic to the SQS endpoint.
Use a NAT gateway in the public subnets and configure the EC2 instances to route SQS traffic through it. Attach an IAM role with SQS permissions to the instances.
Explanation
Answer A is correct because:
1. Interface VPC Endpoint: SQS requires an interface endpoint (not a gateway endpoint, which is only for S3/DynamoDB). It creates an ENI in the private subnets, enabling private connectivity.
2. Security Groups: Attaching a security group to the endpoint that allows inbound traffic from the EC2 instances' security group ensures secure, restricted access.
3. No Public Internet: Traffic stays within the AWS network, meeting the requirement.
Why other options are incorrect:
- B: Placing the endpoint in public subnets is unnecessary and endpoint policies use IAM, not IP-based rules.
- C: Gateway endpoints are not supported for SQS.
- D: NAT gateways route traffic through the public internet, violating the requirement.
Key Points:
- Use interface VPC endpoints for SQS.
- Security groups manage access to endpoints.
- Gateway endpoints only work for S3/DynamoDB.
Answer
The correct answer is: A