SAP-C02 第 279 题
题目
A company uses AWS CloudFormation to deploy applications within multiple VPCs that are all attached to a transit gateway. Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC. Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway. The transit gateway uses its default route table for any VPC attachment. A security audit reveals that an Amazon EC2 instance that is deployed within a VPC can communicate with an EC2 instance that is deployed in any of the company's other VPCs. A solutions architect needs to limit the traffic between the VPCs. Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs. What should the solutions architect do to meet these requirements?
中文翻译:
一家公司使用 AWS CloudFormation 在多个 VPC 中部署应用程序,这些 VPC 全部连接到一个中转网关。将流量发送到公共互联网的每个 VPC 必须通过共享服务 VPC 发送流量。 VPC 内的每个子网都使用默认 VPC 路由表,并且流量将路由到中转网关。中转网关将其默认路由表用于任何 VPC 连接。安全审核显示,部署在 VPC 内的 Amazon EC2 实例可以与部署在公司任何其他 VPC 中的 EC2 实例进行通信。解决方案架构师需要限制 VPC 之间的流量。每个 VPC 必须只能与一组预定义的、有限的授权 VPC 进行通信。解决方案架构师应该怎样做才能满足这些要求?
选项
A. Update the network ACL of each subnet within a VPC to allow outbound traffic only to the authorized VPCs. Remove all deny rules except the default deny rule.
中文翻译:
更新 VPC 内每个子网的网络 ACL,以仅允许出站流量流向授权的 VPC。删除除默认拒绝规则之外的所有拒绝规则。
B. Update all the security groups that are used within a VPC to deny outbound traffic to security groups that are used within the unauthorized VPCs.
中文翻译:
更新 VPC 内使用的所有安全组,以拒绝流向未经授权的 VPC 内使用的安全组的出站流量。
C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.
中文翻译:
为每个 VPC 连接创建专用中转网关路由表。仅将流量路由到授权的 VPC。
D. Update the main route table of each VPC to route traffic only to the authorized VPCs through the transit gateway.
中文翻译:
更新每个 VPC 的主路由表,以通过中转网关仅将流量路由到授权的 VPC。
答案
C
解析
正确答案:C 解析: 本题应选择 C。 正确选项: C. 为每个 VPC 连接创建专用中转网关路由表。仅将流量路由到授权的 VPC。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安全性、RTO/RPO、合规要求等。本题相关考点主要包括:Transit Gateway、VPC、EC2。 排除思路: A、B、D 通常会在协议或...