Question 22: You have an application which is using the Kinesis Data Stream. And this application also has some sensitive data access. Hence, you kept this application in a private subnet. You want that this

application can connect to the Kinesis Data Stream without leaving the AWS private network and does not use the public internet by any means. Which of the following solution is ideal for given scenario?

1. You will be creating an IPSec VPN connection.

2. You will be using NAT instances.

3. You will be removing Internet Gateway from the private subnet.

4. You will be using VPC peering connection

5. You will be using VPC endpoint connection

Correct Answer : 5 Exp : Question is asking how an application residing in private VPC can communicate with the Kinesis Data Stream application without leaving the AWS private network.

Option-1 is talking about VPN connection, VPN connection you create on the public internet. Hence, this cannot be an answer.

Option-2: Is not a solution, because NAT instances are used for reaching the internet when EC2 instances in the private subnet, which cannot directly reach the internet. Hence, not a correct choice.

Option-3: Internet Gateway is attached to the VPC and when you remove that internet gateway from the VPC then it becomes the private VPC. Private subnet does not have internet gateway, so removing internet gateway

from private subnet is not a correct statement itself. Hence, it cannot be a correct choice.

Option-4: VPC peering is a solution when you want to establish a private connection between two VPC. Without using the public internet, and this can be a partially correct answer. But before concluding this lets see

what is the next option.

Option-5: Creating VPC endpoint, when you use the VPC endpoint interface than traffic remain on the AWS network only. VPC endpoints are created with an AWS service. VPC endpoint does not require an internet gateway,

NAT devices, VPN connection, or AWS Direct Connect (Costly solution). VPC endpoint interface are powered by AWS Private Link, this is an AWS technology that enables the private communication between AWS services using

ENI (Elastic Network interface) with the private IPs in your AWS VPC. Hence, this option is more accurate.

5