Which solution meets these requirements?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company wants to use a third-party software-as-a-service (SaaS) application.The third-party SaaS application is consumed through several API calls.The third- party SaaS application also runs on AWS inside a VPC.The company will consume the third-party SaaS application from inside a VPC.The company has internal security policies that mandate the use of private connectivity that does not traverse the internet.No resources that run in the company VPC are allowed to be accessed from outside the company’s VPC.All permissions must conform to the principles of least privilege.

Which solution meets these requirements?

Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.

Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.

Create a VPC peering connection between the third-party SaaS application and the company VPC. Update route tables by adding the needed routes for the peering connection.

Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.

Explanations:

AWS PrivateLink allows private connectivity to AWS services, keeping traffic within the AWS network. Creating a PrivateLink interface VPC endpoint connects the company’s VPC directly to the third-party SaaS application without traversing the internet, aligning with the requirement for private connectivity. Additionally, using a security group to limit access ensures adherence to the principle of least privilege.

A Site-to-Site VPN connection typically connects a company’s on-premises network to AWS, not directly to a third-party SaaS application. This option would still require internet routing for the third-party SaaS, which violates the requirement for private connectivity and does not ensure that no resources in the company VPC can be accessed externally.

VPC peering connects two VPCs directly but does not provide private connectivity to a third-party SaaS application. This option assumes the third-party application is in a VPC owned by the company, which is not the case. Additionally, VPC peering may introduce complexities in managing permissions and routing that do not align with the principle of least privilege.

This option is not feasible as the third-party SaaS provider needs to create an interface VPC endpoint for the endpoint service offered by the company. The requirement is for the company to connect to the third-party SaaS application privately; however, this option implies a more complex setup that would not ensure the principle of least privilege is maintained, and it does not provide a direct connection to the SaaS.

2025-09-29

1 Comment

  1. Rachel
    Author

    I sort that the answer is:
    Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.

Leave a Reply to Rachel Cancel reply

Your email address will not be published. Required fields are marked *

seventeen − nine =