Question #1313
An application hosted on Amazon EC2 instances must access an Amazon DynamoDB table. All traffic must remain within the AWS network without traversing the internet.
How should a solutions architect configure access to meet these requirements?
Create a private hosted zone using Amazon Route 53.
Set up a gateway VPC endpoint for DynamoDB in the VPC.
Configure the EC2 instances to use a NAT gateway to access DynamoDB.
Establish an AWS Direct Connect connection between the VPC and DynamoDB.
Explanation
The correct answer is B. A gateway VPC endpoint allows EC2 instances in a VPC to privately access DynamoDB without internet traffic.
- Why B is correct: Gateway VPC endpoints route DynamoDB traffic through AWS's internal network, meeting the requirement to avoid the internet. They are configured in the VPC's route tables, ensuring all DynamoDB requests stay within AWS.
- Why A is incorrect: A private hosted zone in Route 53 manages DNS records within a VPC but does not inherently restrict DynamoDB traffic to the AWS network.
- Why C is incorrect: A NAT gateway enables internet access for private subnets, but traffic would traverse the public internet, violating the requirement.
- Why D is incorrect: AWS Direct Connect connects on-premises networks to AWS, which is unnecessary here since both EC2 and DynamoDB are already within AWS.
Key Points: Use VPC gateway endpoints (for DynamoDB/S3) to keep traffic within AWS. Avoid NAT gateways or public internet routes for intra-AWS service access.
Answer
The correct answer is: B