AWS Certified Solutions Architect – Associate (SAA-C03) — Question 872

A company has a multi-tier web application. The application's internal service components are deployed on Amazon EC2 instances. The internal service components need to access third-party software as a service (SaaS) APIs that are hosted on AWS.

The company needs to provide secure and private connectivity from the application's internal services to the third-party SaaS application. The company needs to ensure that there is minimal public internet exposure.

Which solution will meet these requirements?

Answer options

• A. Implement an AWS Site-to-Site VPN to establish a secure connection with the third-party SaaS provider.
• B. Deploy AWS Transit Gateway to manage and route traffic between the application's VPC and the third-party SaaS provider.
• C. Configure AWS PrivateLink to allow only outbound traffic from the VPC without enabling the third-party SaaS provider to establish.
• D. Use AWS PrivateLink to create a private connection between the application's VPC and the third-party SaaS provider.

Correct answer: D

Explanation

AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet, making it the ideal solution for connecting to third-party SaaS applications hosted on AWS. While Option C mentions PrivateLink, it incorrectly defines the configuration mechanism, whereas Option D correctly identifies using PrivateLink to create a straightforward private connection. Options A and B are incorrect because VPNs and Transit Gateway are designed for broader network routing and do not provide the specialized, secure, endpoint-level SaaS integration that PrivateLink offers.