Q98 — AWS ANS-C01 Ch.1

Question 98 of 100 | ← Chapter 1

A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and Maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's Applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as More business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner?

Correct Answer: C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.

Explanation

AWS PrivateLink(VPC端点服务)的设计允许服务提供者(中央共享服务VPC)通过私有网络暴露特定服务,消费者(业务单元VPC)通过创建的接口端点访问,无需通过互联网或传统VPC对等。这种方式避免了在VPC间开放整个网络,最小化攻击面,符合细粒度安全控制需求。PrivateLink基于服务级别而非VPC级别的访问策略,每个端点仅允许访问已授权的服务,且服务提供者可以管理终端节点连接的接受与拒绝。扩展性方面,新增业务单元只需在其VPC部署新的端点,无需调整现有架构,避免了VPC对等的点对点连接数限制或Transit Gateway路由复杂性。AWS文档指出PrivateLink适用于跨账户、跨VPC的安全服务共享场景,确保流量隔离与简化网络管理。其他选项如全互联Transit Gateway(A)或VPN(D)缺乏服务级控制,VPC对等(B)存在扩展瓶颈和安全策略负担。