Securing Connectivity for AWS Elastic Beanstalk Go RESTful API

Private Connectivity for AWS Elastic Beanstalk Go RESTful API

Prev Question Next Question

Question

You build and deploy a Go RESTful API in AWS Elastic Beanstalk.

Several other applications need to call the API.

For security reasons, the connectivity between applications and the API in Elastic Beanstalk should be private.

That means the traffic should not be exposed to the public internet.

How to achieve this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

Option A is incorrect: Because this method does not enable private connections between applications and Elastic Beanstalk.

Option B is incorrect: Because the NAT gateway is for internet access and does not help in this question.

Option C is incorrect: Because the API in API Gateway does not provide a private connection.

Option D is CORRECT: Because the VPC endpoint provides a private connection for the Elastic Beanstalk service.

Reference:

https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.html

The correct answer to the question is D. Set up a VPC endpoint for Elastic Beanstalk and enable other applications to send requests to Elastic Beanstalk using AWS PrivateLink.

Explanation: To achieve a private connectivity between the Go RESTful API in Elastic Beanstalk and the other applications, you need to ensure that the traffic between them is not exposed to the public internet. There are several ways to achieve this in AWS, but the most suitable solution for this scenario is to set up a VPC endpoint for Elastic Beanstalk and use AWS PrivateLink to enable other applications to send requests to Elastic Beanstalk.

AWS PrivateLink is a service that enables you to access AWS services over a private network connection. It provides secure and scalable access to services, such as Elastic Beanstalk, without exposing the traffic to the public internet. By setting up a VPC endpoint for Elastic Beanstalk, you can establish a private connection between the Elastic Beanstalk environment and other applications within the same VPC. This connection is secured by the VPC's security groups and network access control lists (ACLs), and it doesn't require an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.

To set up a VPC endpoint for Elastic Beanstalk, you need to follow these steps:

  1. Create a VPC endpoint service for Elastic Beanstalk in the same region where your Elastic Beanstalk environment is located.

  2. Enable the VPC endpoint service to accept connections from the VPC where your other applications are located.

  3. Create a VPC endpoint for Elastic Beanstalk in the VPC where your other applications are located.

  4. Update the security group rules and network ACLs in the VPC to allow traffic from the VPC endpoint to the Elastic Beanstalk environment.

  5. Update the DNS configuration in your other applications to use the VPC endpoint DNS name to connect to the Elastic Beanstalk environment.

By following these steps, you can establish a private and secure connection between your Elastic Beanstalk environment and other applications, without exposing the traffic to the public internet.

Option A is incorrect because disabling internet access for Elastic Beanstalk by removing the public IP address doesn't provide a private connectivity between the Elastic Beanstalk environment and other applications within the same VPC.

Option B is partially correct, but it involves creating a NAT gateway in the public subnet, which is not necessary for this scenario. Using AWS PrivateLink provides a more secure and scalable solution without the need for a NAT gateway.

Option C is also incorrect because configuring an API in API Gateway doesn't provide a private connectivity between the Elastic Beanstalk environment and other applications within the same VPC.