A company is planning on hosting an application that will make use of Kinesis Streams.
The consumer-based application will be sitting on an EC2 Instance in a private subnet.
There is requirement to ensure that the application can connect to the Kinesis stream without passing through the Internet.
Which of the following would be ideal for this scenario?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
The AWS Documentation mentions the following.
You can use an interface VPC endpoint to keep traffic between your Amazon VPC and Kinesis Data Streams from leaving the Amazon network.
Interface VPC endpoints don't require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
Interface VPC endpoints are powered by AWS PrivateLink, an AWS technology that enables private communication between AWS services using an elastic network interface with private IPs in your Amazon VPC.
All other options are incorrect since this would mean that the traffic needs to traverse via the Internet.
For more information on using streams with VPC endpoints, please refer to the below URL.
https://docs.aws.amazon.com/streams/latest/dev/vpc.htmlThe ideal solution for allowing an application on an EC2 instance in a private subnet to connect to a Kinesis stream without passing through the internet is to use a VPC endpoint. Therefore, the correct answer is D.
A VPC endpoint is a service that enables private communication between a VPC and another service, in this case, Kinesis Streams, without traversing the public internet. The VPC endpoint is a horizontally scaled, redundant, and highly available VPC component that allows connectivity to Kinesis Streams via a private IP address. The endpoint resides inside your VPC and uses your security groups to control access to the service.
Option A, creating a VPN connection and attaching it to the VPC, would allow the EC2 instance to communicate with Kinesis Streams through the private network, but it would involve creating and configuring a VPN connection, which adds complexity and may require additional resources.
Option B, creating a NAT Instance in the public subnet, would enable instances in the private subnet to access the internet, but it would not provide a secure connection to Kinesis Streams, as traffic would still traverse the public internet.
Option C, creating a NAT Gateway in the public subnet, is similar to option B, except that NAT Gateway is a fully managed service and doesn't require you to maintain and manage your own NAT instance. However, like option B, it wouldn't provide a secure connection to Kinesis Streams.
Therefore, the best solution is to use a VPC endpoint to ensure secure, private connectivity between the EC2 instance and Kinesis Streams.