Learn how to protect SAP ODP extractor services on AWS using VPC endpoint services and interface endpoints, ensuring secure and efficient data extraction for your analytics workloads.
Table of Contents
Question
A company deploys its SAP ERP system on AWS in a highly available configuration across two Availability Zones. The cluster is configured with an overlay IP address and a Network Load Balancer (NLB) to provide access to the SAP application layer to all users. The company’s analytics team has created several Operational Data Provisioning (ODP) extractor services for the SAP ERP system.
A highly available ETL system will call the ODP extractor services. The ETL system is hosted on Amazon EC2 instances that are deployed in an analytics VPC in a different AWS account. An SAP solutions architect needs to prevent the ODP extractor services from being used as an attack vector to overload the SAP ERP system.
Which solution will provide the MOST protection for the ODP extractor services?
A. Configure VPC peering between the SAP VPC and the analytics VPC. Use network ACL rules in the SAP VPC to allow traffic to the NLB from only authorized sources: the analytics VPC CIDR block and the SAP end users’ network CIDR block.
B. Create a transit gateway in the SAP account. Share the transit gateway with the analytics account. Attach the SAP VPC and the analytics VPC to the transit gateway. Use network ACL rules in the SAP VPC to allow traffic to the NLB from only authorized sources: the analytics VPC CIDR block and the SAP end users’ network CIDR block.
C. Configure VPC peering between the SAP VPC and the analytics VPUpdate the NLB security group rules to accept traffic only from authorized sources: the ETL instances CIDR block and the SAP end users’ network CIDR block.
D. Create a VPC endpoint service configuration on the SAP VPC. Specify the NLB in the endpoint configuration. In the analytics account, create an IAM role that has permission to create a connection to the endpoint service. Attach the role to the ETL instances. While logged in to the ETL instances, programmatically create an interface endpoint to the NLB. Accept the request to activate the interface connection.
Answer
D. Create a VPC endpoint service configuration on the SAP VPC. Specify the NLB in the endpoint configuration. In the analytics account, create an IAM role that has permission to create a connection to the endpoint service. Attach the role to the ETL instances. While logged in to the ETL instances, programmatically create an interface endpoint to the NLB. Accept the request to activate the interface connection.
Explanation
This solution offers the most robust protection by establishing a private and secure connection between the analytics VPC and the SAP ERP system’s NLB. The ODP extractor services are shielded from public exposure, significantly reducing the attack surface.
Here’s why Option D is superior:
- Private connectivity: The VPC endpoint service and interface endpoint create a direct, private link between the ETL instances and the NLB, bypassing the public internet and potential threats.
- Granular control: IAM roles and policies provide precise access management, ensuring only authorized ETL instances can connect to the ODP extractor services.
- Scalability and manageability: This solution scales effortlessly with increasing demands and simplifies access management for future needs.
Amazon AWS Certified SAP on AWS – Specialty PAS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SAP on AWS – Specialty PAS-C01 exam and earn Amazon AWS Certified SAP on AWS – Specialty PAS-C01 certification.