An IoT company needs to develop a product that can quickly count the number of persons in a given area.
They have used wireless sensors and a Node.js backend in AWS EC2 (ap-southeast-2 region with 3 availability zones)
As the data is very sensitive which will be analyzed by a third-party company, they need the backend to be highly available.
The backend EC2 needs to connect to the internet to download patches.
Other than that, for security reasons, EC2 should only open SSH port to a jump host.
For the below descriptions, which one is the best?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer - C.
As in the scenario, high availability is a must.
We should consider using public/private pairs in all three availability zones ap-southeast-2a, ap-southeast-2b, and ap-southeast-2c.
Then create a NAT gateway in each public subnet as NAT gateway is within the scope of an availability zone.
This can ensure that other NAT gateways can still server internet traffic even when an availability zone is out of service.
In terms of the Bastion host, it should be put in a public subnet, and the EC2 security group should allow the SSH access (port 22) for the inbound traffic from the Bastion host security group.
Option A is incorrect: Because NAT gateway should be created in each availability zone instead of meeting the need for high availability.
And bastion host ARN id is incorrect as well.
Bastion host security group should be used.
Option B is incorrect: Because NAT gateway is better than NAT instance as NAT gateway is more reliable and easier to maintain.
Moreover, the route should connect to the NAT gateway.
Option C is CORRECT: Because it has used NAT gateway in three availability zones and Bastion host in a public subnet, which is the best way.
Option D is incorrect: Because it should create three private subnets to make three public/private pairs.
It can ensure that the service is not interrupted even when one availability zone is out of service.
Moreover, NAT gateway is highly managed by AWS, and autoscaling is impossible to be added for that.
The best option for the IoT company would be Option A.
Option A suggests creating a VPC with three availability zones in the ap-southeast-2 region. For each availability zone, a public subnet and a private subnet should be created. A NAT gateway should be created in a single public subnet, and for the route table in the private subnets of all three availability zones, a route from 0.0.0.0/0 to the NAT gateway should be added.
A bastion host should be created in one public subnet, and for EC2 instances, only port 22 should be opened for inbound traffic from the bastion host ARN id. This configuration will provide highly available connectivity to the internet, secure SSH access to the EC2 instances, and keep sensitive data within the VPC's private subnet.
Option B suggests creating a VPC with three availability zones in the ap-southeast-2 region. For each availability zone, a public subnet and a private subnet should be created. A NAT instance should be created in each public subnet, and for the route table in the private subnets of all three availability zones, a route from 0.0.0.0/0 to the public subnet should be added.
A bastion host should be created in one public subnet, and for EC2 instances, only port 22 should be opened for inbound traffic from the bastion host ARN id. This option is less optimal than Option A because NAT instances are less scalable and less available than NAT gateways.
Option C suggests creating a VPC with three availability zones in the ap-southeast-2 region. For each availability zone, a public subnet and a private subnet should be created. A NAT gateway should be created in each public subnet, and for the route table in the private subnets of all three availability zones, a route from 0.0.0.0/0 to the NAT gateway should be added.
A bastion host should be created in one public subnet, and for EC2 instances, only port 22 should be opened for inbound traffic from the security group of the bastion host. This option is less optimal than Option A because it creates three NAT gateways instead of one, which is unnecessary and more expensive.
Option D suggests creating a private subnet in ap-southeast-2a and three public subnets in ap-southeast-2a, ap-southeast-2b, and ap-southeast-2c. A NAT gateway should be created using an autoscaling group in all three availability zones, and for the route table in the private subnet of ap-southeast-2a, a route from 0.0.0.0/0 to the NAT gateway should be added.
A bastion host should be created in one public subnet, and for EC2 instances, only port 22 should be opened for inbound traffic from the security group of the bastion host. This option is less optimal than Option A because it creates unnecessary complexity by using an autoscaling group for the NAT gateway and only provides a NAT gateway in one availability zone instead of three.
In summary, Option A is the best option because it creates a VPC with three availability zones and a single NAT gateway for all three private subnets. It also provides secure SSH access to the EC2 instances through a bastion host and keeps sensitive data within the private subnet.