- Newest
- Most votes
- Most comments
This Private Link concepts guide explains why Option A is the answer: https://docs.aws.amazon.com/vpc/latest/privatelink/concepts.html
Summary: Use AWS PrivateLink to allow the resources in your VPC to connect to services in other VPCs using private IP addresses, as if those services were hosted directly in your VPC.
Sometimes there can be a 2nd viable answer but one is still clearly better. In this case you want to connect with a 3rd party so linking your networks is not a good idea even if it's technically possible and you can limit access to a certain degree with ACLs. Also "does not traverse the internet" excludes option B.
The 3rd party SaaS runs within a VPC. A site to site vpn is exactly that. It’s to encrypt traffic between 2 sites.
To keep all traffic within a VPC and not to traverse the internet via an IGW then private link it’s the only option. This ensures AWS servers are accessible via a private address space/network
Because VPN, thought encrypted, goes over the internet and encounters many hops, which cause higher latency.
Private link is internal backbone which never travers the internet, has far less hops, and is secure.
I would say for two reasons:
- option B doesn't comply with the requirement of traffic not to traverse the internet.
- on top, VPN lacks the possibility to specify an endpoint policy so I see no way to apply the principles of least privilege with option B.
Relevant content
- asked 3 months ago
- Accepted Answerasked 3 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 months ago