Delivering Messages to Amazon SQS Queue over Secure Private Network
Question
You have an application running in an EC2 instance and the instance is placed in a private subnet within a VPC.
The application collects data from clients, generates messages, and then pushes the messages to an SQS queue in the same AWS region. For security concerns, the messages should be delivered to the Amazon SQS queue over a secure, private network without being exposed to the internet. How would you achieve this requirement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answer : D.
Option A is incorrect because the SQS queue is independent of subnets.
Hence it cannot be created in a private subnet.
Option B is incorrect because the record set in Route 53 cannot guarantee that the traffic goes through a private connection.
Option C is incorrect because a NAT gateway cannot be put in a private subnet.
Moreover, the traffic that goes through a NAT gateway is still public instead of private.
Option D is CORRECT because you can configure the VPC Endpoint for the SQS service.
VPC endpoints also provide reliable connectivity to Amazon SQS without requiring an internet gateway, Network Address Translation (NAT) instance, VPN connection, or AWS Direct Connect connection.
With VPC endpoints, the data between your Amazon VPC and Amazon SQS queue is transferred within the Amazon network, helping protect your instances from internet traffic.
References:
https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.html. https://aws.amazon.com/about-aws/whats-new/2018/12/amazon-sqs-vpc-endpoints-aws-privatelink/
To ensure that messages are delivered to an Amazon SQS queue over a secure, private network without being exposed to the internet, you need to follow the below steps:
Create an Amazon Virtual Private Cloud (VPC): Start by creating a VPC with a private subnet in the same region where you want to create the Amazon SQS queue.
Launch an Amazon EC2 instance in the private subnet: This EC2 instance will be used to push messages to the SQS queue.
Create an Amazon SQS queue: Create an Amazon SQS queue in the same region as the EC2 instance, and configure its access policy to allow the EC2 instance to send messages to the queue.
Create an Amazon VPC endpoint for Amazon SQS: This is a private connection between your VPC and Amazon SQS. By creating an Amazon VPC endpoint for Amazon SQS, you can ensure that traffic between your EC2 instance and SQS queue stays within the private network and does not traverse the public internet.
Enable the private DNS name for the Amazon VPC endpoint: When you enable the private DNS name for the Amazon VPC endpoint, your EC2 instance can communicate with the Amazon SQS queue using the DNS name of the VPC endpoint.
Send messages from the EC2 instance to the Amazon SQS queue: Once the Amazon VPC endpoint for Amazon SQS is configured, the EC2 instance can send messages to the Amazon SQS queue over the private network.
Option A is incorrect because creating an SQS queue in the private subnet does not ensure that messages are delivered over a secure, private network without being exposed to the internet.
Option B is incorrect because traffic within a private subnet is not guaranteed to be secure and private.
Option C is incorrect because Route 53 is a DNS service and does not ensure that messages are delivered over a secure, private network without being exposed to the internet.
Option D is incorrect because configuring a NAT gateway in the private subnet and using it to forward messages to the SQS queue does not ensure that messages are delivered over a secure, private network without being exposed to the internet.
Therefore, option E is the correct answer to the question.
