A web company is looking to implement an external payment service into their highly available application
deployed in a VPC Their application EC2 instances are behind a public lacing ELB Auto scaling is used to add
additional instances as traffic increases under normal load the application runs 2 instances in the Auto Scaling
group but at peak it can scale 3x in size. The application instances need to communicate with the payment
service over the Internet which requires whitelisting of all public IP addresses used to communicate with it. A
maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an API.
How should they architect their solution?
A.
Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP
addresses attached to the MAT instances.
B.
Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
C.
Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB.
D.
Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a
script on boot that adds each instances public IP address to the payment validation whitelist API.
Why shouldnt be A
Answer is A
B is incorrect as you do not have insight into the public ip associated with a VPC Internet Gateways.
C is incorrect as ELB receives a public DNS name.
D would exceed the maximum of 4 whitelisting IP addresses.
Which leaves A as the correct answer.
A is right
A
http://jayendrapatil.com/category/aws/vpc/nat/
A:
Answer = B. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
A – if the app servers are behind an ELB then they should be in a private subnet, so would need to be routed through NATs. They would have the NATs’ IP addresses, so this would work.
B – EC2 instances with public IP addresses in a public subnet are routed through the gateway, but will keep their own IP address. So this won’t work
C – You can’t route outbound traffic through an ELB so this won’t work.
D – At peak load, the ASG will have 6 servers, and the payment service only allows 4 to be whitelisted, so this won’t work.
Answer: A
i think there is just few things problematic with A:
1.nat instances are not high available (i know we use cluster) they need manual failover.
2.most important thing is the servers are in public subnet not private so not exactly the scenario for nat instance(its for servers in private subnet)
3. internet gateway is hig available and not bandwidth constrained and they only need to go out not back in , so thats default config for internet gateway with public subnet.
A – if the app servers are behind an ELB then they should be in a private subnet, so would need to be routed through NATs. They would have the NATs’ IP addresses, so this would work.