Question #1110
A company operates applications on Amazon EC2 instances within a VPC. One application requires access to the Amazon DynamoDB API to store and retrieve data. The company's security policies mandate that no application traffic can traverse the public internet. Which solution will satisfy these requirements?
Create a DynamoDB table in a private subnet within the VPC.
Configure a DynamoDB gateway endpoint for the VPC.
Ensure the DynamoDB table is in the same AWS Region as the EC2 instances.
Deploy a NAT gateway in the same subnet as the EC2 instances.
Explanation
Answer B is correct because a VPC gateway endpoint for DynamoDB enables private connectivity between the VPC and DynamoDB without traversing the public internet. This aligns with the security policy.
Option A is incorrect because DynamoDB is a managed service and cannot be placed in a VPC subnet. Option C is insufficient because even if DynamoDB and EC2 are in the same region, traffic would still use the public internet without a VPC endpoint. Option D is incorrect because a NAT gateway routes traffic through the public internet, violating the policy.
Key Points:
- Gateway endpoints (for DynamoDB/S3) provide private VPC-to-AWS-service connectivity.
- DynamoDB tables are regional and not deployed in subnets.
- NAT gateways enable internet access, which is prohibited here.
Answer
The correct answer is: B