Q57 — AWS ANS-C01 Ch.1

Question 57 of 100 | ← Chapter 1

A software-as-a-service (SaaS) company is migrating its private SaaS application to AWS. The company has hundreds of customers that connect To multiple data centers by using VPN tunnels. As the number of customers has grown, the company has experienced more difficulty in its effort To manage routing and segmentation of customers with complex NAT rules. After the migration to AWS is complete, the company's AWS customers must be able to access the SaaS application directly from their VPCs. Meanwhile, the company's on-premises customers still must be able to connect through IPsec encrypted tunnels. Which solution will meet these requirements?

Correct Answer: B. Use AWS PrivateLink to connect the AWS customers. Use a third-party routing appliance in the SaaS application VPC to terminate Onpremises Site-to-Site VPN connections.

Explanation

AWS PrivateLink 允许客户通过 VPC 端点直接访问服务,避免暴露在公网或配置复杂路由,适用于 SaaS 应用场景中对私有连接的需求。对于需要保持现有 IPsec VPN 的本地客户,第三方路由设备可在 SaaS VPC 内集中管理加密隧道,分离不同客户的连接方式以减少复杂度。选项 C 和 D 依赖 VPC 对等或大量 VPN 连接,难以扩展;选项 A 的 Transit Gateway 虽能集中路由,但 NAT 问题未解决。选项 B 通过 PrivateLink 和第三方设备的混合架构分别处理两类客户,符合题干中的可扩展性和简化管理要求。参考 AWS 架构最佳实践中的混合网络设计与 PrivateLink 文档。