What should the solutions architect do to meet these requirements?

A team collects and routes behavioral data for an entire company. The company runs a Multi-AZ VPC environment with public subnets, private subnets, and in internet gateway Each public subnet also contains a NAT gateway Most of the company’s applications read from and write to Amazon Kinesis Data Streams. Most of the workloads run in private subnets.

A solutions architect must review the infrastructure. The solutions architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.

What should the solutions architect do to meet these requirements?
A . Enable VPC Flow Logs. Use Amazon Athena to analyze the logs for traffic that can be removed. Ensure that security groups are blocking traffic that is responsible for high costs.
B . Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
C . Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is not related to Kinesis Data Streams Configure security groups to block that traffic
D . Add an interface VPC endpoint for Kinesis Data Streams to the VPC Ensure that the VPC endpoint policy allows traffic from the applications

View Answer

Answer: B

Explanation:

In order to reduce costs and maintain the functionality of the application, it is best practice to reduce the use of NAT gateways, as the main source of costs here is the data transmitted through the NAT gateway. In this case, the solution architect found that the NatGateway-Bytes charge increased the cost of the EC2-Other category, meaning that a large amount of data transfer was made through the NAT gateway. Most companies’ applications are reading and writing data from Amazon Kinesis Data Streams, and these workloads are primarily running in private subnets.

By adding an Interface VPC endpoint to connect directly to Kinesis Data Streams, you can allow applications in a private subnet to directly access Kinesis Data Streams without going through a NAT gateway, thereby reducing the data transfer costs of the NAT gateway. This not only reduces costs, but also maintains the functionality of the application. Ensuring that the application has the correct IAM permissions to use the interface VPC endpoint is key to ensuring that this change goes smoothly.