A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.
Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.
Which architecture best meets these requirements?
Answer choices
Good practice is not just finding the correct option. The wrong answers often show the exact trap the exam wants you to fall into.
Use AWS PrivateLink by creating a VPC endpoint service backed by the NLB in VPC A, then create an interface VPC endpoint in the partner VPC with appropriate endpoint access controls.
PrivateLink exposes the service privately via interface endpoints, avoiding peering and keeping the NLB non-public for secure partner access.
Expose the NLB to the internet with an Elastic IP and restrict access using the NLB’s security group only.
Making the NLB internet-facing violates non-public requirements, even if security groups limit allowed sources.
Use VPC peering between VPC A and the partner VPC and update route tables to resolve the overlap.
VPC peering cannot handle overlapping CIDRs, and route-table changes cannot resolve IP address overlap safely.
Deploy a NAT gateway in VPC A and route the partner’s traffic to the NLB through the NAT gateway.
NAT gateways enable outbound internet egress for instances, not private, deterministic access to internal load balancers across accounts.
Common exam trap
Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.
Technical deep dive
Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.
Related practice questions
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Practise SAA-C03 questions linked to SAA-C03 VPC.
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Keep practising from the same exam bank, or move into a focused topic page if this question exposed a weak area.
Question 1
Question 2
Question 3
Question 4
Question 5
Question 6
FAQ
CIDR notation defines the prefix length.
The correct answer is: Use AWS PrivateLink by creating a VPC endpoint service backed by the NLB in VPC A, then create an interface VPC endpoint in the partner VPC with appropriate endpoint access controls. — PrivateLink is designed for exactly this scenario: you want a partner to consume a service privately without requiring internet access or VPC peering, and CIDR overlap prevents classic peering. By creating a VPC endpoint service backed by your internal NLB in VPC A and then creating an interface VPC endpoint in the partner VPC, traffic stays within AWS networking and reaches the service via the endpoint ENIs. Access can be restricted to approved principals, enabling defense-in-depth while keeping the NLB non-public. Why others are wrong: Option B violates non-public requirements by using an internet-facing load balancer. Option C is incompatible with the stated constraint: peering cannot fix overlapping CIDRs. Option D misunderstands NAT gateway purpose and does not provide a private service-consumption path. Only PrivateLink uses interface endpoints to privately expose NLB-backed services across VPC/account boundaries without peering.
Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.
Sign in to join the discussion.