A company has applications running in multiple VPCs. These applications require interaction between Amazon S3 buckets and DynamoDB. The company`s security policy requires that communication should be secure and should not go over the public internet. 
How does a solutions architect design this solution to meet these requirements?

Answer options:

A.Create VPC Gateway Endpoints for S3 and DynamoDB and update route tables for all the availability zones.
B.Use the NAT Gateway and Internet Gateway for all the egress communication to these AWS services.
C.Set up VPC peering and use VPC gateway endpoint for S3 and interface endpoint for DynamoDB to communicate over AWS network.
D.Set up a VPC interface endpoint for both S3 and DynamoDB to communicate over the AWS network.

 Answer: A
Types of VPC endpoints for Amazon S3
You can use two types of VPC endpoints to access Amazon S3: gateway endpoints and interface endpoints. A gateway endpoint is a gateway that you specify in your route table to access Amazon S3 from your VPC over the AWS network. Interface endpoints extend the functionality of gateway endpoints by using private IP addresses to route requests to Amazon S3 from within your VPC, on-premises, or from a VPC in another AWS Region using VPC peering or AWS Transit Gateway. 
There are two types of VPC endpoints:
Interface endpoint is an elastic network interface (ENI) with a private IP address from the IP address range of the user`s subnet that serves as an entry point for traffic destined to a supported service. It enables you to privately access services by using private IP addresses.
Gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to support AWS service. Currently supports S3 and DynamoDB services.
Option A is CORRECT because the VPC gateway endpoint supports S3 and DynamoDB. Using the VPC endpoint, communication will not go over the internet, and it will use AWS private network. A VPC endpoint does not require an IGW, NAT device. Instances in the VPC do not require public IP addresses to communicate with resources in the service. Traffic between VPC and the other service stays in the Amazon network.
Option B is incorrect as NAT gateway and IGW use public internet and do not provide secure channels.
Option C is incorrect as DynamoDB can be accessed using Gateway endpoint and not interface endpoint. VPC peering is between VPCs.
Option D is incorrect as S3 can be accessed using the Interface endpoint but the DynamoDB requires the gateway endpoint. The option says to use the interface endpoint for both AWS S3 and the DynamoDB table.
References:
https://docs.aws.amazon.com/vpc/latest/userguide/endpoint-service.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html