Answer-first summary for fast verification
Answer: Ask the provider to create a VPC endpoint for the target service. Use AWS PrivateLink to connect to the target service.
## Explanation **Correct Answer: D** **Why Option D is correct:** 1. **AWS PrivateLink** provides private connectivity between VPCs and services without exposing traffic to the public internet. 2. The provider creates a **VPC endpoint service** (Network Load Balancer) for their target service, which allows the company to create a VPC endpoint in their own VPC. 3. **Private connectivity**: Traffic stays within the AWS network and doesn't traverse the public internet. 4. **Restricted to target service**: The VPC endpoint connects specifically to the provider's endpoint service, not the entire VPC. 5. **Connection initiated only from company's VPC**: With PrivateLink, the company creates the VPC endpoint in their VPC and initiates connections to the provider's service. **Why other options are incorrect:** **Option A (VPC peering):** - VPC peering allows full network connectivity between the two VPCs, not just to a specific service. - The company would have access to the entire provider's VPC, violating the "restricted to the target service" requirement. - Requires overlapping CIDR blocks to be avoided. **Option B (Virtual private gateway with PrivateLink):** - Virtual private gateways are for VPN connections, not for PrivateLink. - PrivateLink doesn't use virtual private gateways; it uses VPC endpoint services and VPC endpoints. - This option mixes incompatible technologies. **Option C (NAT gateway):** - NAT gateways allow outbound internet access from private subnets. - This would route traffic through the public internet, violating the "private connectivity" requirement. - Doesn't provide a direct, private connection to the provider's service. **Key AWS Services:** - **AWS PrivateLink**: Enables private connectivity between VPCs and services - **VPC Endpoint Service**: Created by the service provider (in this case, the external provider) - **Interface VPC Endpoint**: Created by the consumer (in this case, the company) to connect to the endpoint service **Security Benefits:** - No public IP addresses required - Traffic stays within AWS network - No internet gateways, NAT devices, VPN connections, or VPC peering required - Network access control lists (NACLs) and security groups can be used for additional security
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company runs workloads on AWS. The company needs to connect to a service from an external provider. The service is hosted in the provider's VPC. According to the company's security team, the connectivity must be private and must be restricted to the target service. The connection must be initiated only from the company's VPC.
Which solution will meet these requirements?
A
Create a VPC peering connection between the company's VPC and the provider's VPC. Update the route table to connect to the target service.
B
Ask the provider to create a virtual private gateway in its VPC. Use AWS PrivateLink to connect to the target service.
C
Create a NAT gateway in a public subnet of the company's VPC. Update the route table to connect to the target service.
D
Ask the provider to create a VPC endpoint for the target service. Use AWS PrivateLink to connect to the target service.