AWS Certified Solutions Architect – Associate (SAA-C03) — Question 122

A company runs workloads on AWS. The company needs to connect to a service from an external provider. The service is hosted in the provider's VPC. According to the company’s security team, the connectivity must be private and must be restricted to the target service. The connection must be initiated only from the company’s VPC.
Which solution will mast these requirements?

Answer options

• A. Create a VPC peering connection between the company's VPC and the provider's VPC. Update the route table to connect to the target service.
• B. Ask the provider to create a virtual private gateway in its VPC. Use AWS PrivateLink to connect to the target service.
• C. Create a NAT gateway in a public subnet of the company’s VPUpdate the route table to connect to the target service.
• D. Ask the provider to create a VPC endpoint for the target service. Use AWS PrivateLink to connect to the target service.

Correct answer: D

Explanation

The correct answer is D because creating a VPC endpoint allows for a private connection to the target service using AWS PrivateLink, ensuring that the connection is secure and limited to the service in question. Option A does not provide the necessary privacy since VPC peering could expose other resources. Option B does not directly create a connection to the target service, and option C is not suitable because a NAT gateway is used for outbound internet access, not for private connectivity.