AWS Certified Solutions Architect – Associate (SAA-C02) — Question 317

A company that recently started using AWS establishes a Site-to-Site VPN between its on-premises datacenter and AWS. The company's security mandate states that traffic originating from on premises should stay within the company's private IP space when communicating with an Amazon Elastic Container Service
(Amazon ECS) cluster that is hosting a sample web application.
Which solution meets this requirement?

Answer options

• A. Configure a gateway endpoint for Amazon ECS. Modify the route table to include an entry pointing to the ECS cluster.
• B. Create a Network Load Balancer and AWS PrivateLink endpoint for Amazon ECS in the same VPC that is hosting the ECS cluster.
• C. Create a Network Load Balancer in one VPC and an AWS PrivateLink endpoint for Amazon ECS in another VPC. Connect the two VPCs by using VPC peering.
• D. Configure an Amazon Route 53 record with Amazon ECS as the target. Apply a server certificate to Route 53 from AWS Certificate Manager (ACM) for SSL offloading.

Correct answer: B

Explanation

AWS PrivateLink (interface VPC endpoints) allows private resources within a VPC, or connected via Site-to-Site VPN, to access Amazon ECS services using private IP addresses. By deploying a Network Load Balancer and an AWS PrivateLink endpoint in the same VPC as the ECS cluster, on-premises traffic can be securely routed entirely within the private IP space. Gateway endpoints are only available for Amazon S3 and Amazon DynamoDB, making option A incorrect, while option C introduces unnecessary multi-VPC complexity.