Connect VPC Subnet to Amazon Kinesis Stream Privately
Question
You deploy an application running on EC2 under a VPC subnet.
The data generated from the application need to be sent to an Amazon Kinesis Stream. For security concerns, you want to connect the subnet to the Kinesis Stream privately so that the traffic between the subnet and the Kinesis service does not leave the Amazon network. What is the best way to implement this?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
Option A is CORRECT because using the interface endpoint, EC2 instances can communicate with Kinesis Streams using an endpoint-specific DNS hostname such as vpce-123-ab.kinesis.us-east-1.vpce.amazonaws.com.
This satisfied the required ask of communication between AWS services within the AWS network.
Option B is incorrect because the endpoint type for the Kinesis Streams service should be interface endpoint instead of gateway endpoint.
Gateway endpoint is usually used for Amazon S3 and DynamoDB services.
Option C is incorrect because a virtual private gateway is usually required while creating a connection with on-premises using a VPN or a Direct Connect Connection.
To create a VPC interface endpoint, we do not need the virtual private gateway.
Option D is incorrect because a VPN service is used when a connection has to be established between on-premises and AWS and not within the AWS services.
Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html
The best way to implement a private connection between an EC2 instance in a VPC subnet and an Amazon Kinesis Stream service would be to create an interface endpoint to the Kinesis Streams service. Answer A is the correct option.
Explanation: An Amazon VPC (Virtual Private Cloud) is a virtual network dedicated to an AWS account. It provides several benefits, such as increased security and control over the environment, among others. Amazon Kinesis Streams is a managed service that allows real-time processing of streaming data at scale. When a data-generating application running on an EC2 instance within a VPC subnet needs to send data to a Kinesis Stream, it is important to ensure that the traffic between the subnet and the Kinesis service is secure.
To achieve this, the best solution would be to create an interface endpoint to the Kinesis Streams service. An interface endpoint is an elastic network interface that is attached to a subnet in your VPC, which allows the EC2 instances in that subnet to communicate with the Kinesis service privately, without having to go through the internet. By using an interface endpoint, the traffic between the subnet and the Kinesis service stays within the Amazon network and is not exposed to the public internet.
Option B, adding a gateway endpoint for the Kinesis Streams service, is incorrect as a gateway endpoint is used for S3 and DynamoDB services, not for Kinesis. Option C, enabling a VPC endpoint for the Kinesis Streams service and configuring a virtual private gateway in the VPC subnet, is incorrect as it is not necessary to configure a virtual private gateway to enable a VPC endpoint. Option D, configuring a VPN connection between the VPC subnet and the Kinesis Streams service, is also incorrect as it is more complicated and involves more configuration than creating an interface endpoint.
In summary, creating an interface endpoint to the Kinesis Streams service is the best way to implement a private connection between an EC2 instance in a VPC subnet and the Kinesis service.
