To Nha Notes | May 17, 2022, 8:51 p.m.
QUESTION: A company has an internal AWS Elastic Beanstalk worker environment inside a VPC that must access an external payment gateway API available on an HTTPS endpoint the public internet Because of security policies, the payment gateway’s Application team can grant access to only one public IP address. Which architecture will set up an Elastic Beanstalk environment to access the company’s application without making multiple changes on the company’s end?
Answer # 1: Configure the Elastic Beanstalk application to place Amazon EC2 instances in a private subnet with an outbound route to a NAT gateway in a public subnet Associate an Elastic IP address to the NAT gateway that can be whitelisted on the payment gateway application side.
Answer #2: Configure the Elastic Beanstalk application to place Amazon EC2 instances in a private subnet Set an https_proxy application parameter to send outbound HTTPS connections to an EC2 proxy server deployed in a public subnet Associate an Elastic IP address to the EC2 proxy host that can be whitelisted on the payment gateway application side
Both answers looks technically correct. Maybe it’s about that part of the question: "without making multiple changes on the company’s end"?
Setting up proxy requires to configure all apps that will use it (f.e. by setting up https_proxy env variable)- hence multiple changes.
Setting up NAT gateway is a matter of subnet routing and attaching Elastic IP, so no changes to apps themselves are required.
https://acloudguru.com/forums/aws-csa-pro-2019/when-should-i-use-proxy-server-or-nat-gateway-to-connect-on-https-endpoint-over-internet