AWS Certified Solutions Architect – Professional (SAP-C02) — Question 454

A company has many services running in its on-premises data center. The data center is connected to AWS using AWS Direct Connect (DX) and an IPSec VPN. The service data is sensitive and connectivity cannot traverse the internet. The company wants to expand into a new market segment and begin offering its services to other companies that are using AWS.

Which solution will meet these requirements?

Answer options

• A. Create a VPC Endpoint Service that accepts TCP traffic, host it behind a Network Load Balancer, and make the service available over DX.
• B. Create a VPC Endpoint Service that accepts HTTP or HTTPS traffic, host it behind an Application Load Balancer, and make the service available over DX.
• C. Attach an internet gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.
• D. Attach a NAT gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.

Correct answer: A

Explanation

A VPC Endpoint Service (powered by AWS PrivateLink) allows the company to share its services privately with other AWS accounts without exposing data to the public internet, utilizing a Network Load Balancer (NLB) to route TCP traffic to the on-premises targets over AWS Direct Connect. Option B is incorrect because PrivateLink requires a Network Load Balancer or Gateway Load Balancer, not an Application Load Balancer. Options C and D are incorrect because utilizing an internet gateway or NAT gateway would expose or route traffic over the public internet, which violates the company's strict security requirements.