AWS Certified Solutions Architect – Professional — Question 471

A company that runs applications on AWS recently subscribed to a new software-as-a-service (SaaS) data vendor. The vendor provides the data by way of a
REST API that the vendor hosts in its AWS environment. The vendor offers multiple options for connectivity to the API and is working with the company to find the best way to connect.
The company's AWS account does not allow outbound internet access from its AWS environment. The vendor's services run on AWS in the same Region as the company's applications.
A solutions architect must implement connectivity to the vendor's API so that the API is highly available in the company's VPC.
Which solution will meet these requirements?

Answer options

• A. Connect to the vendor's public API address for the data service
• B. Connect to the vendor by way of a VPC peering connection between the vendor's VPC and the company's VPC
• C. Connect to the vendor by way of a VPC endpoint service that uses AWS PrivateLink
• D. Connect to a public bastion host that the vendor provides. Tunnel the API traffic

Correct answer: C

Explanation

AWS PrivateLink provides private, highly available connectivity between VPCs and SaaS services without exposing traffic to the public internet, which perfectly satisfies the company's restriction on outbound internet access. Options involving public endpoints or public bastion hosts are not viable because the company's VPC cannot access the internet. While VPC peering could technically connect the VPCs, AWS PrivateLink is the preferred AWS service designed specifically for securely sharing services with consumer VPCs without routing complexities.