Topic 1 Question 15
To run an application, a DevOps engineer launches an Amazon EC2 instance with public IP addresses in a public subnet. A user data script obtains the application artifacts and installs them on the instances upon launch. A change to the security classification of the application now requires the instances to run with no access to the internet. While the instances launch successfully and show as healthy, the application does not seem to be installed. Which of the following should successfully install the application while complying with the new rule?
Launch the instances in a public subnet with Elastic IP addresses attached. Once the application is installed and running, run a script to disassociate the Elastic IP addresses afterwards.
Set up a NAT gateway. Deploy the EC2 instances to a private subnet. Update the private subnet's route table to use the NAT gateway as the default route.
Publish the application artifacts to an Amazon S3 bucket and create a VPC endpoint for S3. Assign an IAM instance profile to the EC2 instances so they can read the application artifacts from the S3 bucket.
Create a security group for the application instances and allow only outbound traffic to the artifact repository. Remove the security group rule once the install is complete.
ユーザの投票
コメント(13)
- 正解だと思う選択肢: B
use Nat GW to access Internet
👍 3ele2023/04/07 Option B is the best solution as it provides a secure way for the instances to access the internet and the application artifacts without compromising security. By deploying the instances in a private subnet and setting up a NAT gateway, the instances can access the internet through the NAT gateway, which acts as a proxy, while not having direct access to the internet. The NAT gateway allows outbound internet connectivity, but inbound traffic is not allowed, so it complies with the new security rule
👍 3alce20202023/04/14- 正解だと思う選択肢: C
C for me, with nat gateway we will have access to the internet
👍 2Dimidrol2023/04/08
シャッフルモード