SAP-C02 第 521 题
题目
A company is changing the way that it handles patching of Amazon EC2 instances in its application account. The company currently patches instances over the internet by using a NAT gateway in a VPC in the application account. The company has EC2 instances set up as a patch source repository in a dedicated private VPC in a core account. The company wants to use AWS Systems Manager Patch Manager and the patch source repository in the core account to patch the EC2 instances in the application account. The company must prevent all EC2 instances in the application account from accessing the internet. The EC2 instances in the application account need to access Amazon S3, where the application data is stored. These EC2 instances need connectivity to Systems Manager and to the patch source repository in the private VPC in the core account. Which solution will meet these requirements?
中文翻译:
一家公司正在改变其应用程序账户中处理 Amazon EC2 实例修补的方式。该公司目前通过在应用程序帐户的 VPC 中使用 NAT 网关来通过互联网修补实例。该公司在核心账户的专用私有 VPC 中将 EC2 实例设置为补丁源存储库。该公司希望使用 AWS Systems Manager Patch Manager 和核心账户中的补丁源存储库来修补应用程序账户中的 EC2 实例。公司必须阻止应用程序帐户中的所有 EC2 实例访问互联网。应用程序账户中的 EC2 实例需要访问存储应用程序数据的 Amazon S3。这些 EC2 实例需要连接到 Systems Manager 以及核心账户的私有 VPC 中的补丁源存储库。哪种解决方案可以满足这些要求?
选项
A. Create a network ACL that blocks outbound traffic on port 80. Associate the network ACL with all subnets in the application account. In the application account and the core account, deploy one EC2 instance that runs a custom VPN server. Create a VPN tunnel to access the private VPC. Update the route table in the application account.
中文翻译:
创建阻止端口 80 上的出站流量的网络 ACL。将网络 ACL 与应用程序帐户中的所有子网关联。在应用程序账户和核心账户中,部署一个运行自定义 VPN 服务器的 EC2 实例。创建VPN隧道来访问私有VPC。更新应用程序帐户中的路由表。
B. Create private VIFs for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route table in the core account.
中文翻译:
为 Systems Manager 和 Amazon S3 创建私有 VIF。从应用程序账户中的 VPC 中删除 NAT 网关。创建中转网关以访问核心账户中的补丁源存储库 EC2 实例。更新核心账户中的路由表。
C. Create VPC endpoints for Systems Manager and Amazon S3. Delete the NAT gateway from the VPC in the application account. Create a VPC peering connection to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.
中文翻译:
为 Systems Manager 和 Amazon S3 创建 VPC 终端节点。从应用程序账户中的 VPC 中删除 NAT 网关。创建VPC对等连接以访问核心账户中的补丁源存储库EC2实例。更新两个帐户中的路由表。
D. Create a network ACL that blocks inbound traffic on port 80. Associate the network ACL with all subnets in the application account. Create a transit gateway to access the patch source repository EC2 instances in the core account. Update the route tables in both accounts.
中文翻译:
创建阻止端口 80 上的入站流量的网络 ACL。将网络 ACL 与应用程序帐户中的所有子网关联。创建中转网关以访问核心账户中的补丁源存储库 EC2 实例。更新两个帐户中的路由表。
答案
C
解析
正确答案:C 解析: 本题应选择 C。 正确选项: C. 为 Systems Manager 和 Amazon S3 创建 VPC 终端节点。从应用程序账户中的 VPC 中删除 NAT 网关。创建VPC对等连接以访问核心账户中的补丁源存储库EC2实例。更新两个帐户中的路由表。 选择理由: 该选项最直接地满足题干中的关键约束。做 SAP-C02 题目时,需要同时对照题干里的限定词,例如最高性能、最低运维开销、成本效益、可靠性、可扩展性、安...