SAP-C02 Exam Dumps - AWS Certified Solutions Architect - Professional

Option A is incorrect because creating a Direct Connect gateway in the central account and creating an association proposal by using the Direct Connect gateway and the account ID for every virtual private gateway does not enable active-passive failover between the regions. A Direct Connect gateway is a globally available resource that enables you to connect your AWS Direct Connect connection over a private virtual interface (VIF) to one or more VPCs in any AWS Region. A virtual private gateway is the VPN concentrator on the Amazon side of a VPN connection. You can associate a Direct Connect gateway with either a transit gateway or a virtual private gateway. However, a Direct Connect gateway does not provide any load balancing or failover capabilities by itself1

Option B is correct because creating a Direct Connect gateway and a transit gateway in the central network account and attaching the transit gateway to the Direct Connect gateway by using a transit VIF meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. A transit VIF is a type of private VIF that you can use to connect your AWS Direct Connect connection to a transit gateway or a Direct Connect gateway. A transit gateway is a network transit hub that you can use to interconnect your VPCs and on-premises networks. By using a transit VIF, you can route traffic between your on-premises network and multiple VPCs across different AWS accounts and Regions through a single connection23

Option C is incorrect because provisioning an internet gateway, attaching the internet gateway to subnets, and allowing internet traffic through the gateway does not meet the requirement of routing cloud resources to the internet through its on-premises data center. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. By using an internet gateway, you are routing cloud resources directly to the internet, not through your on-premises data center.

Option D is correct because sharing the transit gateway with other accounts and attaching VPCs to the transit gateway meets the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. You can share your transit gateway with other AWS accounts within the same organization by using AWS Resource Access Manager (AWS RAM). This allows you to centrally manage connectivity from multiple accounts without having to create individual peering connections between VPCs or duplicate network appliances in each account. You can attach VPCs from different accounts and Regions to your shared transit gateway and enable routing between them.

Option E is incorrect because provisioning VPC peering as necessary does not meet the requirement of enabling the corporate network to access the resources on AWS seamlessly and also to communicate with all the VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within asingle Region. However, VPC peering does not allow you to route traffic from your on-premises network to your VPCs or between multiple Regions. You would need to create multiple VPN connections or Direct Connect connections for each VPC peering connection, which increases operational complexity and costs.

Option F is correct because provisioning only private subnets, opening the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center meets the requirement of routing cloud resources to the internet through its on-premises data center. A private subnet is a subnet that’s associated with a route table that has no route to an internet gateway. Instances in a private subnet can communicate with other instances in the same VPC but cannot access resources on the internet directly. To enable outbound internet access from instances in private subnets, you can use NAT devices such as NAT gateways or NAT instances that are deployed in public subnets. A public subnet is a subnet that’s associated with a route table that has a route to an internet gateway. Alternatively, you can use your on-premises data center as a NAT device by configuring routes on your transit gateway and customer gateway that direct outbound internet traffic from your private subnets through your VPN connection or Direct Connect connection. This way, you can route cloud resources to the internet through your on-premises data center instead of using an internet gateway.

Creating a user pool in Amazon Cognito and configuring it for the application will meet the requirement of giving only a specific list of users the ability to access the application from the internet. A user pool is a directory of users that can sign in to an application with ausername and password1. The company can populate the user pool with the required users and configure the pool to require MFA for additional security2. Configuring a listenerrule on the ALB to require authentication through the Amazon Cognito hosted UI will meet the requirement of not changing the application and not integrating it with an identity provider. The ALB can use Amazon Cognito as an authentication action to authenticate usersbefore forwarding requests to the Fargate service3. The Amazon Cognito hosted UI is a customizable web page that provides sign-in and sign-up functionality for users4.

https://aws.amazon.com/about-aws/whats-new/2017/11/aws-lambda-supports-traffic-shifting-and-phased-deployments-with-aws-codedeploy/

This option allows the company to use Amazon Aurora MySQL, which is a fully managed relational database service that is compatible with MySQL and offers up to five times better performance than standard MySQL1. By migrating the database to Aurora MySQL, the company can benefitfrom its high availability, durability, scalability, and security features1. By deploying the application in an Auto Scaling group on Amazon EC2 instances behind an Application LoadBalancer, the company can ensure that the application can handle varying levels of traffic and distribute the requests across multiple instances2. By storing sessions in an Amazon ElastiCache for Redis replication group, the company can improve the performance and reliability of the session data by using a fast, in-memory data store that supports replication and failover3.

What is Amazon Aurora?

What is Auto Scaling?

What is Amazon ElastiCache?

Comprehensive and Detailed Explanation From Exact Extract:

D is correct because the requirement explicitly calls for (1) dedicated private connectivity, (2) automated and centrally managed operation, and (3) connectivity between on-premises data centers and multiple AWS Regions.

AWS Direct Connect provides dedicated private connectivity from on-premises environments to AWS. This is the key differentiator versus internet-based connectivity options when performance and consistency are required to meet strict SLAs.

AWS Cloud WAN provides centralized, policy-based management of a global network across Regions and on-premises attachments. Using Direct Connect attachments to Cloud WAN lets the company centrally define routing/segmentation policies and connect multiple data centers to multiple Regions in a consistent, automated way—well aligned to “automated and centrally managed” requirements for a multi-Region payment platform.

Why the other options are incorrect:

A (Global Accelerator) improves performance for internet-facing endpoints using Anycast and edge routing, but it does not provide private, dedicated connectivity between on-premises networks and AWS services. It is not the right tool for private HSM-to-AWS service connectivity.

B (Site-to-Site VPN + Transit Gateway) can be centrally routed with Transit Gateway, but VPN tunnels run over the public internet and are not “dedicated private connectivity.” They can be acceptable for many cases, but they do not best meet “dedicated private connectivity” and strict SLA expectations compared to Direct Connect.

C (CloudHSM) changes the architecture by moving tokenization into AWS-managed HSM infrastructure. The question states the company manages on-premises HSMs and needs private connectivity between those HSMs and AWS payment services, so replacing them with CloudHSM does not satisfy the stated connectivity requirement.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-examples.html

Comprehensive and Detailed in Depth Explanation:

B is correct because RDS Proxy allows for connection pooling and improved management of DB connections. Lambda + RDS often runs into connection exhaustion during high concurrency unless RDS Proxy is used. Provisioned concurrency prevents cold starts.

RDS Proxyoptimizes and pools DB connections. By combining this withPrivateLink + NLB, other accounts can securely access the proxy endpoint without going over the internet or setting up peering for every new account.

RDS Proxy Docs