AWS Certified Solutions Architect – Associate (SAA-C02) — Question 350

A company has an application hosted on Amazon EC2 instances in two VPCs across different AWS Regions. To communicate with each other, the instances use the internet for connectivity. The security team wants to ensure that no communication between the instances happens over the internet.
What should a solutions architect do to accomplish this?

Answer options

• A. Create a NAT gateway and update the route table of the EC2 instances' subnet.
• B. Create a VPC endpoint and update the route table of the EC2 instances' subnet.
• C. Create a VPN connection and update the route table of the EC2 instances' subnet.
• D. Create a VPC peering connection and update the route table of the EC2 instances' subnet.

Correct answer: D

Explanation

Establishing an inter-Region VPC peering connection allows the Amazon EC2 instances in different VPCs and Regions to communicate privately using private IP addresses over the AWS global network backbone, avoiding the public internet entirely. NAT gateways (Option A) are used to allow resources in private subnets to access the internet, which does not solve the private inter-VPC communication requirement. VPC endpoints (Option B) are used to privately connect a VPC to supported AWS services rather than connecting EC2 instances in separate VPCs, while a standard VPN connection (Option C) typically routes traffic over the public internet.