DOP-C02 · Question #337
DOP-C02 Question #337: Real Exam Question with Answer & Explanation
The correct answer is C: Create a new Amazon ECR pull through cache rule for the public ECR registry. Update each task. A pull through cache rule allows you to mirror images from the public Amazon ECR registry to a private Amazon ECR repository without needing to pull them from the internet each time. By setting this up, the ECS tasks can pull images from a private repository within your VPC, even
Question
A company is running an internal application in an Amazon Elastic Container Service (Amazon ECS) cluster on Amazon EC2. The ECS cluster instances can connect to the public internet. The ECS tasks that run on the cluster instances are configured to use images from both private Amazon Elastic Container Registry (Amazon ECR) repositories and a public ECR registry repository. A new security policy requires the company to remove the ECS cluster's direct access to the internet. The company must remove any NAT gateways and internet gateways from the VPC that hosts the cluster. A DevOps engineer needs to ensure the ECS cluster can still download images from both the public ECR registry and the private ECR repositories. Images from the public ECR registry must remain up-to-date. New versions of the images must be available to the ECS cluster within 24 hours of publication. Which combination of steps will meet these requirements with the LEAST operational overhead? (Choose three.)
Options
- ACreate an AWS CodeBuild project and a new private ECR repository for each image that is
- BCreate a new Amazon ECR pull through cache rule for each image that is downloaded from the
- CCreate a new Amazon ECR pull through cache rule for the public ECR registry. Update each task
- DCreate an Amazon ECR interface VPC endpoint for the public ECR repositories that are in the
- ECreate an Amazon ECR interface VPC endpoint for the private ECR repositories that are in the
- FCreate an Amazon S3 gateway endpoint in the VPC.
Explanation
A pull through cache rule allows you to mirror images from the public Amazon ECR registry to a private Amazon ECR repository without needing to pull them from the internet each time. By setting this up, the ECS tasks can pull images from a private repository within your VPC, even when the VPC doesn't have internet access. This ensures the images stay up-to-date and meet the 24-hour update requirement with minimal operational overhead. The interface VPC endpoint allows your ECS cluster to access public ECR repositories (in this case, through the pull through cache) without requiring direct internet access. This allows for secure and efficient access to images within the VPC, aligning with the new security policy that removes internet access. Similarly, an interface VPC endpoint for private ECR repositories allows ECS tasks to pull images from private repositories securely within the VPC without needing internet access. By using pull through cache rules and VPC endpoints for ECR, the company can meet its requirements with minimal operational overhead, ensuring secure, efficient access to both public and private images without direct internet access.
Topics
Community Discussion
No community discussion yet for this question.