AWS Certified Solutions Architect – Professional — Question 844

A company has many services running in its on-premises data center. The data center is connected to AWS using AWS Direct Connect (DX) and an IPSec VPN.
The service data is sensitive and connectivity cannot traverse the internet. The company wants to expand into a new market segment and begin offering its services to other companies that are using AWS.
Which solution will meet these requirements?

Answer options

• A. Create a VPC Endpoint Service that accepts TCP traffic, host it behind a Network Load Balancer, and make the service available over DX.
• B. Create a VPC Endpoint Service that accepts HTTP or HTTPS traffic, host it behind an Application Load Balancer, and make the service available over DX.
• C. Attach an internet gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.
• D. Attach a NAT gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.

Correct answer: A

Explanation

AWS PrivateLink (VPC Endpoint Service) allows services to be shared privately between VPCs without traversing the public internet, and it integrates with Network Load Balancers (NLBs) which support TCP traffic. Because the backend services are on-premises and accessed via AWS Direct Connect, an NLB is required as Application Load Balancers (ALBs) cannot be used directly to back a VPC Endpoint Service in this architecture. Options C and D are incorrect because they involve internet gateways or NAT gateways, which expose traffic to the public internet and violate the security requirement.