A company has many services running in its on-premises data center. The data center is connected to AWS using AWS Direct Connect (DX) and an IPSec VPN. The service data is sensitive and connectivity cannot traverse the internet. The company wants to expand into a new market segment and begin offering its services to other companies that are using AWS.
Which solution will meet these requirements?
To meet the requirement of ensuring that service data does not traverse the internet and is securely accessible, the best solution is to use a VPC Endpoint Service hosted behind a Network Load Balancer (NLB). VPC Endpoint Services, also known as PrivateLink, allow secure and private connectivity between VPCs without crossing the internet. The use of an NLB is ideal because it can handle TCP traffic, which is versatile and can cover various types of services. This ensures that the sensitive service data remains within the secure network boundaries provided by AWS Direct Connect.
A This is a privatelink scenrio. Can't find a hard evidence but the Privatelink seem can only work with NLB. If need ALB, it will be Privatelink -> NLB -> ALB one evidence is the link lasithasilva709 posted another evidence is compare of ALB/NLB https://aws.amazon.com/elasticloadbalancing/features/?nc=sn&loc=2&dn=1 3rd evidence https://aws.amazon.com/about-aws/whats-new/2021/09/application-load-balancer-aws-privatelink-static-ip-addresses-network-load-balancer/
Also in question only mentioned services but doesn't mention port, where TCP (NLB) can cover all ports but HTTP/HTTPS (ALB) is restricted
#C & #D are out given the connectivity cannot traverse the internet. #A enables secure VPC endpoint to privately expose to other companies' VPCs without traversing the internet, and TCP to provide more controlled and secure comm protocol for sensitive data
B is just a safe as A — TCP is not inherently safer. However, HTTPS and HTTP are much more commonly used when providing services to other companies. As we don't have any information as to the nature of the service, a safer bet (pun intended) is B.
Answer is A. Many services is a key word , option B is for http and https.
VPC endpoint + NLB = PrivateLink
A, VPC endpoint used with NLB
A, for sure. Connectivity cannot traverse the internet
My understanding is that NLB should be used for a VPC endpoint service. Here are some resources: 1. To use AWS PrivateLink, create a Network Load Balancer for your application in your VPC, and create a VPC endpoint service configuration pointing to that load balancer. https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/aws-privatelink.html 2. https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/
A, VPC endpoint used with NLB