Amazon Web Services Updated SAP-C02 Exam Questions and Answers by hadi

Create Amazon S3 gateway endpoint in the VPC and add a VPC endpoint policy. This VPC endpoint policy will have a statement that allows S3 access only via access points owned by the organization.

The correct answer is D. Deploy the application on Amazon Elastic Kubernetes Service (Amazon EKS) with AWS Fargate and enable auto scaling behind an Application Load Balancer. Create additional read replicas for the DB instance. Create an Amazon Managed Streaming for Apache Kafka cluster and configure the application services to use the cluster. Store static content in Amazon S3 behind an Amazon CloudFront distribution.

Option D meets the requirements of the scenario because it allows you to reduce operational overhead and support the product release by using the following AWS services and features:

Amazon Elastic Kubernetes Service (Amazon EKS) is a fully managed service that allows you to run Kubernetes applications on AWS without needing to install, operate, or maintain your own Kubernetes control plane. You can use Amazon EKS to deploy your containerized application services on a Kubernetes cluster that is compatible with your existing tools and processes.

AWS Fargate is a serverless compute engine that eliminates the need to provision and manage servers for your containers. You can use AWS Fargate as the launch type for your Amazon EKS pods, which are the smallest deployable units of computing in Kubernetes. You can also enable auto scaling for your pods, which allows you to automatically adjust the number of pods based on the demand or custom metrics.

An Application Load Balancer (ALB) is a load balancer that distributes traffic across multiple targets in multiple Availability Zones using HTTP or HTTPS protocols. You can use an ALB to balance the load across your Amazon EKS pods and provide high availability and fault tolerance for your application.

Amazon RDS for PostgreSQL is a fully managed relational database service that supports the PostgreSQL open source database engine. You can create additional read replicas for your DB instance, which are copies of your primary DB instance that can handle read-only queries and improve performance. You can also useread replicas to scale out beyond the capacity of a single DB instance for read-heavy workloads.

Amazon Managed Streaming for Apache Kafka (Amazon MSK) is a fully managed service that makes it easy to build and run applications that use Apache Kafka to process streaming data. Apache Kafka is an open source platform for building real-time data pipelines and streaming applications. You can use Amazon MSK to create and manage a Kafka cluster that is highly available, secure, and compatible with your existing Kafka applications. You can also configure your application services to use the Amazon MSK cluster as a source or destination of streaming data.

Amazon S3 is an object storage service that offers high durability, availability, and scalability. You can store static content such as images, videos, or documents in Amazon S3 buckets, which are containers for objects. You can also serve static content directly from Amazon S3 using public URLs or presigned URLs.

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds. You can use Amazon CloudFront to create a distribution that caches static content from your Amazon S3 bucket at edge locations closer to your users. This can improve the performance and user experience of your application.

Option A is incorrect because creating an EC2 Auto Scaling group behind an ALB would not reduce operational overhead as much as using AWS Fargate with Amazon EKS, as you would still need to manage EC2 instances for your containers. Creating additional read replicas for the DB instance would not provide high availability or fault tolerance in case of a failure of the primary DB instance, unlike deploying the DB instance in Multi-AZ mode. Creating Amazon Kinesis data streams would not be compatible with your existing Apache Kafka applications, unlike using Amazon MSK.

Option B is incorrect because creating an EC2 Auto Scaling group behind an ALB would not reduce operational overhead as much as using AWS Fargate with Amazon EKS, as you would still need to manage EC2 instances for your containers. Creating Amazon Kinesis data streams would not be compatible with your existing Apache Kafka applications, unlike using Amazon MSK. Storing and serving static content directly from Amazon S3 would not provide optimal performance and user experience, unlike using Amazon CloudFront.

Option C is incorrect because deploying the application on a Kubernetes cluster created on the EC2 instances behind an ALB would not reduce operational overhead as much as using AWS Fargate with Amazon EKS, as you would still need to manage EC2 instances and Kubernetes control plane for your containers. Using Amazon API Gateway to interact with the application would add an unnecessary layer of complexity and cost to your architecture, as you would need to create and maintain an API gateway that proxies requests to your ALB.

The company needs centralized traffic inspection and centralized internet access for multiple workload VPCs connected by a transit gateway. The standard AWS hub-and-spoke pattern for centralized inspection is to use an inspection VPC that hosts network virtual appliances behind a Gateway Load Balancer, and to steer traffic from spoke VPCs through the transit gateway to the inspection VPC. Gateway Load Balancer endpoints are used to privately connect VPCs to the GWLB, allowing traffic to be transparently redirected to the appliances for inspection without changing application configurations.

To ensure symmetric routing for stateful inspection (so that return traffic traverses the same appliance path), appliance mode is enabled on the transit gateway attachment that connects to the inspection VPC. Appliance mode is specifically used with transit gateways and third-party appliances to preserve flow symmetry and avoid asymmetric routing issues.

Option D matches the centralized model: it creates a dedicated inspection VPC that contains the GWLB, endpoints, and the inspection appliance. It updates workload VPC routes to send traffic to the transit gateway and configures the transit gateway route tables to forward relevant traffic to the GWLB endpoints in the inspection VPC. Enabling appliance mode on the transit gateway is the key operational setting to maintain symmetric routing through the appliance fleet for inspected traffic.

Option A is incorrect because it places the inspection components inside an existing workload VPC rather than using a centralized inspection VPC. This increases coupling, makes the architecture harder to manage, and does not match the typical centralized inspection pattern. It also references enabling appliance mode on the GWLB, whereas appliance mode is a transit gateway attachment feature used for routing symmetry with appliances, not a setting “on the GWLB” itself.

Option B is incorrect because it splits the GWLB and endpoints/appliances across different workload VPCs, which complicates the design and is not the intended GWLB pattern. GWLB endpoints are created in VPCs that need to send traffic to the GWLB service; the appliances sit behind the GWLB in the provider/inspection VPC. The option also refers to enabling appliance mode on endpoints, but the appliance mode setting is associated with the transit gateway attachment.

Option C is incorrect because VPC flow logs are for logging and visibility; flow logs do not route traffic. Also, separating “inspection VPC” and “internet access VPC” with the appliances in the internet VPC does not align with the standard GWLB centralized inspection architecture and introduces unnecessary complexity.

Therefore, creating a dedicated inspection VPC with GWLB and endpoints and enabling appliance mode on the transit gateway attachment is the correct centralized approach.