Question #1050
A company is restructuring its patching process for Amazon EC2 instances in its application account. Currently, instances are patched over the internet using a NAT gateway in the application account's VPC.
The company maintains a patch repository hosted on EC2 instances within a dedicated private VPC in a separate core account. They plan to use AWS Systems Manager Patch Manager with this repository to patch the application account's EC2 instances. The solution must ensure that EC2 instances in the application account cannot access the internet.
Additionally, these EC2 instances require connectivity to Amazon DynamoDB for application data and to Systems Manager for management tasks. They also need access to the patch repository in the core account's VPC.
Which solution meets these requirements?
Create a security group that denies all outbound traffic. Associate it with all EC2 instances in the application account. Establish a VPN connection between the application account's VPC and the core account's VPC. Create VPC endpoints for DynamoDB and Systems Manager. Update route tables in both accounts.
Deploy VPC endpoints for DynamoDB and Systems Manager. Remove the NAT gateway from the application account's VPC. Set up a VPC peering connection between the application and core accounts. Modify route tables in both VPCs to allow traffic through the peering connection.
Implement a network ACL blocking all outbound traffic on ports 80 and 443. Associate this NACL with the application account's subnets. Use AWS Direct Connect to establish a private connection to the core account's VPC. Create a gateway endpoint for DynamoDB.
Delete the NAT gateway in the application account's VPC. Create a transit gateway to connect the application and core account VPCs. Configure VPC endpoints for DynamoDB and Systems Manager. Update the route tables to route traffic through the transit gateway.
Explanation
Option B meets all requirements:
1. VPC Endpoints: Deploying VPC endpoints for DynamoDB (gateway endpoint) and Systems Manager (interface endpoints) allows EC2 instances to access these services privately without internet access.
2. No NAT Gateway: Removing the NAT gateway ensures instances cannot access the internet.
3. VPC Peering: A peering connection between the application and core VPCs enables access to the patch repository. Route tables are updated in both VPCs to route traffic via the peering connection.
Why other options fail:
- A: Security groups blocking all outbound traffic would disrupt VPC endpoint communication. VPN is unnecessary compared to peering.
- C: Blocking ports 80/443 via NACLs would prevent Systems Manager (which uses HTTPS/443) even with VPC endpoints.
- D: Transit Gateway works but is more complex than VPC peering. The answer does not mention VPC endpoints for DynamoDB/SSM explicitly, but B directly addresses all requirements concisely.
Key Points: Use VPC endpoints for AWS services and VPC peering for cross-account private connectivity without internet.
Answer
The correct answer is: B