来源:Amazon AWS Certified Solutions Architect - Associate SAA-C03 Exam
10 题 (No.181 ~ No.190) 只记录了 2 道首次碰到的、错误的或有疑问的题目,仅供自己复习使用。
如果侵权请联系删除。
🌟 单词:
- destinationn. 目的地,终点
一、Connect to on-premises database
A company has an AWS account used for software engineering. The AWS account has access to the company’s on-premises data center through a pair of AWS Direct Connect connections. All non-VPC traffic routes to the virtual private gateway.
A development team recently created an AWS Lambda function through the console. The development team needs to allow the function to access a database that runs in a private subnet in the company’s data center.
Which solution will meet these requirements?
- ✅ Configure the Lambda function to run in the VPC with the appropriate security group.
- Set up a VPN connection from AWS to the data center. Route the traffic from the Lambda function through the VPN.
- Update the route tables in the VPC to allow the Lambda function to access the on-premises data center through Direct Connect.
- ❌ Create an Elastic IP address. Configure the Lambda function to send traffic through the Elastic IP address without an elastic network interface.
✨ 关键词:all Lambda function access on-premises database、AWS Direct Connect
4️⃣ ❌ -> 1️⃣ ✅
💡 解析:公司的自建数据中心和 AWS 同通过
AWS Direct Connect建立了连接,现在需要Lambda函数能够访问本地数据库。
首先需要确定Lambda创建后默认是不属于任何VPC,且可以访问互联网的:
之后通过配置可以将其放入
VPC内,获取与VPC内其他实例相同的网络访问权限:
官方的文档描述
Lambda总是运行在VPC内,这并不准确:Networking and VPC configurationsLambda functions always run inside VPCs owned by the Lambda service. As with customer-owned VPCs, this allows the service to apply network access and security rules to everything within the VPC. These VPCs are not visible to customers, the configurations are maintained automatically, and monitoring is managed by the service.
回到题目,1️⃣ 是必须要做的事情,选择没有问题。
而争议比较大的 3️⃣ 则是配置路由表让VPC内的Lambda函数能够访问本地网络,即使要做也是在 1️⃣ 之后。
👨👨👦👦 社区讨论:To configure a VPC for an existing function:
- Open the Functions page of the Lambda console.
- Choose a function.
- Choose Configuration and then choose VPC.
- Under VPC, choose Edit.
- Choose a VPC, subnets,and security groups. <— That’s why I believe the answer is A.
Note: If your function needs internet access, use networkaddress translation (NAT). Connecting a function to a public subnet doesn’t give it internet access or a public IP address.
二、S3 SFTP upload
A company uses Amazon S3 as its data lake. The company has a new partner that must use SFTP to upload data files. A solutions architect needs to implement a highly available SFTP solution that minimizes operational overhead.
Which solution will meet these requirements?
- ✅ Use AWS Transfer Family to configure an SFTP-enabled server with a publicly accessible endpoint. Choose the S3 data lake as the destination.
- Use Amazon S3 File Gateway as an SFTP server. Expose the S3 File Gateway endpoint URL to the new partner. Share the S3 File Gateway endpoint with the new partner.
- Launch an Amazon EC2 instance in a private subnet in a VPInstruct the new partner to upload files to the EC2 instance by using a VPN. Run a cron job script, on the EC2 instance to upload files to the S3 data lake.
- Launch Amazon EC2 instances in a private subnet in a VPC. Place a Network Load Balancer (NLB) in front of the EC2 instances. Create an SFTP listener port for the NLB. Share the NLB hostname with the new partner. Run a cron job script on the EC2 instances to upload files to the S3 data lake.
✨ 关键词:S3、SFTP solution
1️⃣ ✅
💡 解析:使用
S3作为数据湖,新的合作方一定要使用 SFTP 上传文件。需要高可用的 SFTP 方案。
AWS Transfer Family提供了多种协议与 AWS 存储服务交互的服务。AWS Transfer Family 是一种安全的传输服务,使您能够将文件传入和传出 AWS 存储服务。Transfer Family 是该 AWS Cloud 平台的一部分。 AWS Transfer Family 为通过SFTP、、AS2、FTPS以及FTP直接传入和传出 Amazon S3 或 Amazon 的文件提供完全托管的支持EFS。通过维护现有的客户端身份验证、访问和防火墙配置,您可以无缝迁移、自动化和监控文件传输工作流程,因此您的客户、合作伙伴和内部团队或其应用程序不会发生任何变化。
👨👨👦👦 社区讨论:For Exam :
Whenever you see SFTP , FTP lookfor “Transfer” in optionsavailable