Amazon SAP-C02 Exam - Topic 1 Question 65 Discussion

Actual exam question for Amazon's SAP-C02 exam

Question #: 65
Topic #: 1

A company hosts a metadata API on Amazon EC2 instances behind an internet-facing Application Load Balancer (ALB). Only internal applications that run on EC2 instances in separate AWS accounts need to access the metadata API. All the internal EC2 instances use NAT gateways. A new policy requires that traffic between internal applications must not travel across the public internet. Which solution will meet this requirement?

ACreate an HTTP API in Amazon API Gateway. Configure a route for the metadata API. Configure a VPC link to the VPC that hosts the metadata API's EC2 instances. Update the API Gateway resource policy to include the account IDs of the internal applications that access the metadata API.

BCreate a REST API in Amazon API Gateway. Specify the API Gateway endpoint type as private. Associate the REST API with the metadata API's VPC. Create a gateway VPC endpoint for the REST API. Share the endpoint across accounts by using AWS Resource Access Manager (AWS RAM). Configure the internal applications to connect to the gateway VPC endpoint.

CCreate an internal ALB. Register the metadata API's EC2 instances with the internal ALB. Create an internal Network Load Balancer (NLB) that has a target group type of ALB. Register the internal ALB as the target. Configure an AWS PrivateLink endpoint service for the NLB. Grant the internal applications access to the metadata API through the PrivateLink endpoint.

DCreate an internal ALB. Register the metadata API's EC2 instances with the internal ALB. Configure an AWS PrivateLink endpoint service for the internal ALB. Grant the internal applications access to the metadata API through the PrivateLink endpoint.
Explanation:

Creating an internal ALB and configuring it as a PrivateLink endpoint service enables private connectivity between internal applications and the metadata API, ensuring that traffic does not traverse the public internet.
Internal ALB: Ensures traffic stays within the AWS network and is not exposed publicly.
PrivateLink endpoint service: Provides secure, private access to the ALB from the internal EC2 instances in other AWS accounts.
Traffic stays within the AWS global network, leveraging AWS security best practices and meeting the new policy requirements for no public internet exposure.
This approach is secure, scalable, and minimizes management complexity compared to API Gateway solutions.

Show Suggested Answer

Suggested Answer: D

by Lenita at Mar 03, 2026, 11:10 PM

Limited Time Offer

25%

Off

Get Premium SAP-C02 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!