AWS Certified Solutions Architect – Associate (SAA-C02) — Question 263

A software vendor is deploying a new software-as-a-service (SaaS) solution that will be utilized by many AWS users. The service is hosted in a VPC behind a
Network Load Balancer. The software vendor wants to provide access to this service to users with the least amount of administrative overhead and without exposing the service to the public internet.
What should a solutions architect do to accomplish this goal?

Answer options

• A. Create a peering VPC connection from each user's VPC to the software vendor's VPC.
• B. Deploy a transit VPC in the software vendor's AWS account. Create a VPN connection with each user account.
• C. Connect the service in the VPC with an AWS Private Link endpoint. Have users subscribe to the endpoint.
• D. Deploy a transit VPC in the software vendor's AWS account. Create an AWS Direct Connect connection with each user account.

Correct answer: C

Explanation

The correct answer is C because AWS PrivateLink allows secure access to services hosted in a VPC without exposing them to the public internet, thus reducing administrative overhead. Options A and B involve more complex setups with VPC peering and VPNs, which would increase management tasks and complexity. Option D also adds unnecessary complexity by requiring AWS Direct Connect, which is not needed for this scenario.