AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 272

A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud.
A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet.
Which combination of steps is part of a solution that meets these requirements? (Choose two.)

Answer options

• A. Deploy the SaaS service endpoint behind a Network Load Balancer.
• B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service.
• C. Deploy the SaaS service endpoint behind an Application Load Balancer.
• D. Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways.
• E. Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway.

Correct answer: A, B

Explanation

AWS PrivateLink allows SaaS providers to securely expose services to other VPCs without using public IPs, which elegantly resolves the issue of overlapping CIDR blocks. To implement this, the provider must deploy a Network Load Balancer in front of the application and create a VPC endpoint service that clients can connect to. Other solutions like VPC peering or AWS Transit Gateway do not easily support overlapping IP addresses, and PrivateLink endpoint services require a Network Load Balancer rather than an Application Load Balancer.