PAS-C01 · Question #71
A company deploys its SAP ERP system on AWS in a highly available configuration across two Availability Zones. The cluster is configured with an overlay IP address and a Network Load Balancer (NLB) to
The correct answer is D. Create a VPC endpoint service configuration on the SAP VPC. Specify the NLB in the endpoint. Creating a VPC Endpoint Service (AWS PrivateLink) in the SAP VPC and specifying the NLB (D) provides the strongest protection. PrivateLink exposes only the specific NLB endpoint to the analytics VPC - the analytics account never gains access to any other resources in the SAP VPC.
Question
A company deploys its SAP ERP system on AWS in a highly available configuration across two Availability Zones. The cluster is configured with an overlay IP address and a Network Load Balancer (NLB) to provide access to the SAP application layer to all users. The company's analytics team has created several Operational Data Provisioning (ODP) extractor services for the SAP ERP system. A highly available ETL system will call the ODP extractor services. The ETL system is hosted on Amazon EC2 instances that are deployed in an analytics VPC in a different AWS account. An SAP solutions architect needs to prevent the ODP extractor services from being used as an attack vector to overload the SAP ERP system. Which solution will provide the MOST protection for the ODP extractor services?
Options
- AConfigure VPC peering between the SAP VPC and the analytics VPC. Use network ACL rules in
- BCreate a transit gateway in the SAP account. Share the transit gateway with the analytics account.
- CConfigure VPC peering between the SAP VPC and the analytics VPUpdate the NLB security group
- DCreate a VPC endpoint service configuration on the SAP VPC. Specify the NLB in the endpoint
How the community answered
(55 responses)- A24% (13)
- B5% (3)
- C11% (6)
- D60% (33)
Explanation
Creating a VPC Endpoint Service (AWS PrivateLink) in the SAP VPC and specifying the NLB (D) provides the strongest protection. PrivateLink exposes only the specific NLB endpoint to the analytics VPC - the analytics account never gains access to any other resources in the SAP VPC. You can enforce allowlisting so only specific accounts or principals can create connections, and traffic never traverses the public internet. This limits the attack surface to exactly the intended service. VPC peering (A, C) establishes broad network-level connectivity between both VPCs, potentially exposing all resources in the SAP VPC to the analytics account, which violates least-privilege principles and widens the attack surface. Transit Gateway (B) also provides broad network connectivity across accounts and does not isolate exposure to the specific ODP service - it routes traffic at the network level and cannot restrict access to specific services within a VPC.
Topics
Community Discussion
No community discussion yet for this question.