AWS Certified Advanced Networking - Specialty Exam: Architecture Changes for a Three Tier Application

Architecture Changes for a Three Tier Application

Prev Question Next Question

Question

You're working as a consultant for a company that has a three tier application.

The application layer of this architecture sends over 20Gbps of data per seconds during peak hours to and from Amazon S3

Currently, you're running two NAT gateways in two subnets to transfer the data from your private application layer to Amazon S3

You will also need to ensure that the instances receive software patches from a third party repository.

What architecture changes should be made, if any? Choose the correct answer from the options below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

VPC endpoints alleviate the need for everything to go through theNAT instance.

For more information on VPC endpoints please refer to the below URL:

https://aws.amazon.com/blogs/aws/new-vpc-endpoint-for-amazon-s3/
New VPC Endpoint for S3 Today we are simplifying access to S3 resources from within a VPC by introducing the concept of a VPC Endpoint. These endpoints are easy to configure, highly reliable, and provide a secure connection to S3 that does not require a gateway or NAT instances. C2 instances running in private subnets of a VPC can now have controlled access to S3 buckets, objects, and API functions that are in the same region as the VPC. You can use an $3 bucket policy to indicate which VPCs and which VPC Endpoints have access to your S3 buckets.

The correct answer for this scenario is B. Keep the NAT gateway and create a VPC S3 endpoint which allows for higher bandwidth throughput as well as tighter security.

Explanation: The architecture currently in use consists of two NAT gateways in two subnets to transfer data between the private application layer and Amazon S3. However, during peak hours, the data transferred between the application layer and Amazon S3 reaches 20Gbps. It is important to ensure that the architecture can support the required bandwidth and handle any potential increases in demand.

Option A suggests adding a third NAT gateway to a third subnet to allow for any increase in demand. However, NAT gateways support a maximum bandwidth of 10Gbps each. Therefore, adding a third NAT gateway will not improve the bandwidth limitations of the existing architecture.

Option C suggests that no changes are required to improve this architecture. However, as mentioned above, the current architecture is limited to a maximum bandwidth of 20Gbps due to the use of two NAT gateways.

Option D suggests removing the NAT gateway and creating a VPC S3 endpoint. While this solution would provide higher bandwidth throughput and tighter security, it may not be the most optimal solution as the NAT gateways are often used to control traffic flow and provide additional security measures.

Option B, on the other hand, suggests keeping the NAT gateways and creating a VPC S3 endpoint. This solution provides the best of both worlds by utilizing the existing NAT gateways for traffic control and adding a VPC S3 endpoint for higher bandwidth throughput and tighter security. A VPC S3 endpoint allows traffic to flow directly between an Amazon VPC and Amazon S3, without having to traverse the internet. This reduces the attack surface and improves the security of the architecture. Additionally, VPC S3 endpoints can support up to 20Gbps of throughput, which meets the bandwidth requirements of the current scenario.

Therefore, option B is the most appropriate solution for this scenario.

Prev Question Next Question