You deploy an application running on EC2 under a VPC subnet. The data generated from the application need to be sent to an Amazon Kinesis Stream.
For security concerns, you want to connect the subnet to the Kinesis Stream privately so that the traffic between the subnet and the Kinesis service does not leave the Amazon network.
What is the best way to implement this?

Answer options:

A.Create an interface endpoint to the Kinesis Streams service. Then the EC2 instances in the subnet can communicate with Kinesis using its endpoint DNS name.
B.Add a gateway endpoint for the Kinesis Streams service. The EC2 instances within the VPC subnet can talk with Kinesis via its endpoint host name.
C.Enable a VPC endpoint for the Kinesis Streams service and configure a virtual private gateway in the VPC subnet. Then all the traffics between the VPC and the Kinesis service are private.
D.Configure a VPN connection between the VPC subnet and the Kinesis Streams service. Then the traffic goes through the Amazon private network.

Answer: A
Option A is CORRECT because using the interface endpoint, EC2 instances can communicate with Kinesis Streams using an endpoint-specific DNS hostname such as vpce-123-ab.kinesis.us-east-1.vpce.amazonaws.com. This satisfied the required ask of communication between AWS services within the AWS network.
Option B is incorrect because the endpoint type for the Kinesis Streams service should be interface endpoint instead of gateway endpoint. Gateway endpoint is usually used for Amazon S3 and DynamoDB services.
Option C is incorrect because a virtual private gateway is usually required while creating a connection with on-premises using a VPN or a Direct Connect Connection. To create a VPC interface endpoint, we do not need the virtual private gateway.
Option D is incorrect because a VPN service is used when a connection has to be established between on-premises and AWS and not within the AWS services.
Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html