Learn how to migrate some features from a legacy monolithic application to use AWS Lambda functions that can securely access an Amazon Aurora DB cluster in a private subnet in a VPC. Discover the best solution to achieve this without crossing the public internet.
Table of Contents
Question
A developer is migrating some features from a legacy monolithic application to use AWS Lambda functions instead. The application currently stores data in an Amazon Aurora DB cluster that runs in private subnets in a VPC. The AWS account has one VPC deployed. The Lambda functions and the DB cluster are deployed in the same AWS Region in the same AWS account.
The developer needs to ensure that the Lambda functions can securely access the DB cluster without crossing the public internet.
Which solution will meet these requirements?
A. Configure the DB cluster’s public access setting to Yes.
B. Configure an Amazon RDS database proxy for he Lambda functions.
C. Configure a NAT gateway and a security group for the Lambda functions.
D. Configure the VPC, subnets, and a security group for the Lambda functions.
Answer
D. Configure the VPC, subnets, and a security group for the Lambda functions.
Explanation
The correct answer is D. Configure the VPC, subnets, and a security group for the Lambda functions.
Here is a detailed explanation:
- Option A is not a valid solution because it exposes the DB cluster to the public internet, which is not secure and violates the requirement. Configuring the DB cluster’s public access setting to Yes means that the DB cluster can be accessed by any IP address, which increases the risk of unauthorized access and data breaches. Moreover, this option does not ensure that the Lambda functions can access the DB cluster without crossing the public internet, as they still need to use a public endpoint to connect to the DB cluster.
- Option B is not a valid solution because it requires an additional service, which is not necessary and may incur additional costs. An Amazon RDS database proxy is a fully managed service that provides connection pooling, load balancing, and enhanced security for database connections from Lambda functions or other applications. However, in this scenario, the Lambda functions and the DB cluster are deployed in the same AWS Region and account, so they can communicate directly without using a proxy. Moreover, using a proxy does not guarantee that the Lambda functions can access the DB cluster without crossing the public internet, as they still need to use a public endpoint to connect to the proxy.
- Option C is not a valid solution because it does not enable the Lambda functions to access the DB cluster without crossing the public internet. A NAT gateway is a service that enables instances or functions in private subnets to access resources on the internet, but prevents the internet from initiating connections with them. However, in this scenario, the Lambda functions do not need to access resources on the internet, but only need to access the DB cluster in private subnets. Therefore, using a NAT gateway is unnecessary and may incur additional costs. Moreover, using a NAT gateway does not prevent the Lambda functions from crossing the public internet, as they still need to use a public endpoint to connect to the DB cluster.
- Option D is the best solution because it enables the Lambda functions to securely access the DB cluster without crossing the public internet. By configuring the VPC, subnets, and a security group for the Lambda functions, the developer can ensure that the Lambda functions are deployed in private subnets within the same VPC as the DB cluster. This way, the Lambda functions can communicate with the DB cluster using private endpoints within the VPC network. The security group can also control which ports and protocols are allowed for inbound and outbound traffic between the Lambda functions and the DB cluster.
Therefore, option D is the best solution that meets these requirements.
The latest AWS Certified Developer – Associate DVA-C02 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the AWS Certified Developer – Associate DVA-C02 exam and earn AWS Certified Developer – Associate DVA-C02 certification.
