Question #2035
A company operates a backend service within a private subnet behind a Network Load Balancer (NLB) in a VPC. The VPC includes a NAT gateway and an internet gateway. The service interacts with an Amazon DynamoDB table to store and retrieve data. The company's security policy mandates that all traffic to DynamoDB must not traverse the public internet. Which solution MOST cost-effectively meets these requirements?
Configure a DynamoDB interface endpoint. Create a security group allowing outbound traffic to DynamoDB.
Configure a DynamoDB gateway endpoint. Update the VPC route tables to route traffic through the endpoint.
Apply a DynamoDB resource policy that permits access from the Elastic IP address assigned to the NAT gateway.
Provision a second NAT gateway in the same subnet as the backend service and adjust the VPC route tables.
Explanation
Answer B is correct because DynamoDB gateway endpoints are specifically designed to enable private connectivity between a VPC and DynamoDB without traversing the public internet. Gateway endpoints are free and work by updating VPC route tables to direct DynamoDB traffic through AWS's private network. This aligns with the security policy and minimizes costs.
Why other options are incorrect:
- A: DynamoDB uses gateway endpoints, not interface endpoints. Interface endpoints incur costs and are unnecessary here.
- C: Using a NAT gateway's Elastic IP still routes traffic over the public internet, violating the policy.
- D: Adding NAT gateways does not resolve the public internet dependency and increases costs.
Key Points:
1. DynamoDB gateway endpoints are free and provide private connectivity.
2. Route tables must be updated to use the endpoint.
3. NAT gateways and public IPs do not meet the 'no public internet' requirement.
Answer
The correct answer is: B