- Newest
- Most votes
- Most comments
Is it because of NAT Gateway cost considerations?
I expected this to be because A and C would cost less than B, although it is certainly possible with B.
However, it is difficult to accurately consider this because there is no assumption from the problem statement to choose the one with the lowest cost.
If you need a Lambda function to access resources in a VPC, you can either expose those resources publicly , which is usually not recommended, or attach the function to the VPC.
Exposing the resource publicly, may indicate to answer C, however, for this to work it is not enough to change security groups, you actually need to locate the Neptune cluster in public subnets and assign public IPs to the cluster. Based on this, it is not possible, so option C is not a correct answer.
So this means that you must attach the function to the VPC. You can attach the function to a Public subnet (option A), but that actually will not let the functions communicate the internet, as they do not have a public IP address in this case. This eliminates answer A as well.
You must attach the function to private subnets and then you need to give it a way to communicate with DDB. There are only two options for that: Either use a NAT gateway (option B), or use a DynamoDB VPC end point (option E).
So the correct answers are B and E.
Hi, I concur that B and E should be correct, as hosting lambdas on public subnet is not really a good security practice, together with hosting data sources on public ones.
Typically these questions may depend on how things are asked, but the question does not really put any specific constraint.
B and E in my opinion as both require the Lambda to be hosted in private subnets.
Relevant content
- asked 8 months ago
- Accepted Answerasked a year ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 4 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 4 months ago
C is actually an incorrect answer. Neptune (at the time of this writing) does not allow for public access outside of a VPC unless there is a proxy in place like a load balancer. Is this from an exam?