A gateway endpoint connects to DynamoDB or S3. You configure the route table within your VPC to send traffic over a VPC endpoint instead of the Internet. A VPC can have multiple gateway endpoints to different services in a route table. This greatly enhances security. For example, for a private subnet in a VPC to access S3 without a gateway endpoint, you would need a public subnet with a NAT gateway, and the traffic would have to be routed over the public AWS network. With a gateway endpoint, the traffic never leaves the AWS private backbone, and there is no need for a public subnet or Internet gateway in this scenario. Figure 11.11 shows the initial configuration of a gateway endpoint for S3.
FIGURE 11.11 Configuring a gateway endpoint for S3
Interface endpoints can be used to connect to services that use a vast array of AWS services. Gateway endpoints can connect only to S3 and DynamoDB.
Answer this question. The answer follows the question. If you cannot answer the question correctly, consider reading this section again until you can.
1. An S3 bucket contains sensitive data. You must restrict access to this bucket to a set of EC2 instances in a private subnet. What actions should you take to meet these requirements? (Choose three.)
A. Create an interface endpoint and a NAT gateway to connect to the bucket from the VPC.
B. Update the route table to point S3 traffic to a gateway VPC endpoint.
C. Configure a transit gateway to allow the VPC endpoint to communicate with S3.
D. Configure the bucket policy to allow access only to the VPC endpoint.
E. Create a gateway endpoint to connect to the bucket from the VPC.
1. Answer: B, D, and E are correct. A gateway endpoint connects to DynamoDB or S3. NAT gateways or Internet gateways are not required. You can also configure the S3 bucket policy to limit access to only the traffic coming through the VPC endpoint.
This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.1 Implement networking features and connectivity
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. Can a VPC peering connection span multiple AWS regions and accounts?
2. An organization is connecting many VPCs using VPC peering connections. This solution has become overly complex and must be simplified. Which AWS networking product provides a solution to this issue?
1. Answer: Yes, VPC peering connections can be created with VPCs in different regions. A VPC peering connection can be established with a VPC in a different account, but the owner of the other account must accept your peering connection request.
2. Answer: The AWS Transit Gateway provides a highly available and scalable service that can be used to connect many VPCs. This eliminates the need for a complex full-mesh network of VPC peering connections and instead creates a simple hub-and-spoke topology.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
