A company is building a microservices architecture on Amazon ECS with Fargate. Each service must be isolated and communicate only via APIs. The company needs to enforce that services cannot directly access each other's databases. Which approach should be used?
Separate VPCs provide strong isolation; VPC peering allows controlled API traffic.
Why this answer
Placing each service in its own VPC with VPC peering (Option B) provides network isolation and controlled access. Option A (same VPC) does not isolate databases. Option C (security groups) is less granular.
Option D (IAM roles) does not prevent network access.