AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is to create a VPC interface endpoint for the third-party's service. By using AWS PrivateLink, traffic from the EC2 instances to the third-party API will be routed through the interface endpoint over the AWS private network, completely bypassing the NAT Gateways. This directly eliminates the "NAT Gateway - Data Processed" charge for this traffic, which is the primary cost driver identified in the scenario. While the VPC endpoint has its own hourly and data processing fees, the data processing fee for an interface endpoint is significantly lower ($0.01 per GB) than that of a NAT Gateway ($0.045 per GB), resulting in substantial savings.

• Consolidating to a single NAT Gateway would actually increase costs for a multi-AZ application. Traffic originating from instances in other Availability Zones would first incur an inter-AZ data transfer fee ($0.01/GB) to reach the NAT Gateway, and then the standard NAT Gateway processing fee would still apply on top of that. This approach also introduces a single point of failure, which contradicts the high-availability requirement.
• A caching proxy layer only reduces costs for redundant data requests. Any request for new or unique data would still need to be fetched from the internet, incurring data transfer processing fees. Since AWS PrivateLink eliminates the NAT Gateway processing cost for all traffic to the provider, it is a more comprehensive and cost-effective solution.
• AWS Direct Connect is a service used to establish a dedicated private network connection from an on-premises data center to AWS. It cannot be used to connect resources within a VPC to a third-party service hosted on the public internet.