Which solution meets these requirements?
Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.
Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.
Create a VPC peering connection between the third-party SaaS application and the company VPUpdate route tables by adding the needed routes for the peering connection.
Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.
Explanations:
AWS PrivateLink allows private connectivity to services hosted on AWS without traversing the internet, aligning with the company’s requirement for private connectivity. Creating a security group to limit access ensures adherence to the principle of least privilege.
A Site-to-Site VPN connection does not guarantee that the traffic will not traverse the internet, as it typically encrypts data over the public internet. This does not comply with the internal security policy of using private connectivity.
VPC peering connects two VPCs, but it does not inherently ensure that traffic does not traverse the internet. Additionally, it requires configuration on both sides, which may not be feasible with a third-party SaaS application unless specifically allowed by the provider.
This option implies that the third-party SaaS provider must create an endpoint, which may not align with the requirement that the company only consumes the service privately. Moreover, if the third-party SaaS does not support creating an endpoint service, this solution would not work.