Answer: Create a gateway endpoint for DynamoDB., Create a route table entry for the endpoint.

## Explanation To ensure that API calls to Amazon DynamoDB from Amazon EC2 instances in a VPC do not travel across the internet, the solutions architect should: **B. Create a gateway endpoint for DynamoDB** - This is the primary requirement. A VPC endpoint for DynamoDB is a gateway endpoint that provides a private connection between your VPC and DynamoDB without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. **A. Create a route table entry for the endpoint** - After creating the gateway endpoint, you need to add a route to your route table that directs traffic destined for DynamoDB to the VPC endpoint. This ensures that traffic stays within the AWS network. ### Why other options are incorrect: **C. Create an interface endpoint for Amazon EC2** - Interface endpoints are for AWS services that use PrivateLink (like Amazon S3, Amazon SNS, etc.), not for DynamoDB. DynamoDB uses gateway endpoints. **D. Create an elastic network interface for the endpoint in each of the subnets of the VPC** - This is required for interface endpoints (PrivateLink), not for gateway endpoints. Gateway endpoints don't use ENIs. **E. Create a security group entry in the endpoint's security group to provide access** - Gateway endpoints don't have security groups. Security groups are associated with interface endpoints, not gateway endpoints. ### Key Points: - **Gateway endpoints** are available for Amazon S3 and DynamoDB - They are free to use (no hourly charges) - They require route table updates to direct traffic - They don't use ENIs or security groups - Traffic stays within the AWS network, improving security and reducing costs

Author: LeetQuiz Editorial Team