I’m studing for SAP certification and doing a simulte test.
In this simulate I got a question below where I suppost to be the answer number 1 the correct however I believe that answer number 2 could be also the correct. Could you please explain me the difference between both options (answers) ?
In case of Answer # 2 is correct, please let me know why!
I really appreciate your help and time.. Regards!!!
QUESTION: A company has an internal AWS Elastic Beanstalk worker environment inside a VPC that must access an external payment gateway API available on an HTTPS endpoint the public internet Because of security policies, the payment gateway’s Application team can grant access to only one public IP address. Which architecture will set up an Elastic Beanstalk environment to access the company’s application without making multiple changes on the company’s end?
Answer # 1: Configure the Elastic Beanstalk application to place Amazon EC2 instances in a private subnet with an outbound route to a NAT gateway in a public subnet Associate an Elastic IP address to the NAT gateway that can be whitelisted on the payment gateway application side.
Answer #2: Configure the Elastic Beanstalk application to place Amazon EC2 instances in a private subnet Set an https_proxy application parameter to send outbound HTTPS connections to an EC2 proxy server deployed in a public subnet Associate an Elastic IP address to the EC2 proxy host that can be whitelisted on the payment gateway application side
Both answers looks technically correct. Maybe it’s about that part of the question: "without making multiple changes on the company’s end"?
Setting up proxy requires to configure all apps that will use it (f.e. by setting up https_proxy env variable)- hence multiple changes.
Setting up NAT gateway is a matter of subnet routing and attaching Elastic IP, so no changes to apps themselves are required.
After some research. In answer #1 is missing that the NAT GW needs a custom route to the Internet Gateway. But I think there must be a better answer. See: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-working-with "To ensure that your NAT gateway can access the internet, the route table associated with the subnet in which your NAT gateway resides must include a route that points internet traffic to an internet gateway. For more information, see Creating a custom route table. If you delete a NAT gateway, the NAT gateway routes remain in a blackhole status until you delete or update the routes. For more information, see Adding and removing routes from a route table."