AWS Certified Solutions Architect – Associate (SAA-C02) — Question 682

A company is expanding a secure, on-premises network to AWS. The on-premises network has no direct internet access. The company is setting up am AWS
Direct Connect connection between the on-premises network and AWS. An application that runs in the on-premises network needs to use the AWS software development kits (SDKs).
A solutions architect must design a solution that supports this connectivity. However, the solution cannot incur additional cost beyond the cost of the Direct
Connect connection.
Which solution will meet these requirements?

Answer options

• A. Create a public virtual interface (VIF). Route the AWS traffic over the public VIF.
• B. Create a VPC and a NAT gateway. Route the AWS traffic from on premises to the NAT gateway.
• C. Create a VPC and an Amazon S3 interface endpoint. Route the AWS traffic from on premises to the S3 interface endpoint.
• D. Create a VPC peering connection between the on-premises network and Direct Connect. Route the AWS traffic over the peering connection.

Correct answer: D

Explanation

Routing the AWS traffic over a dedicated VPC peering connection configured through Direct Connect allows secure transit without incurring any extra costs. Other solutions, such as deploying a NAT gateway or using interface endpoints, introduce additional hourly and data processing fees. A public VIF is not the optimal choice here as the architecture seeks to leverage Direct Connect peering paths for this specific traffic routing.