Your company deploys an internal application in an Elastic Beanstalk environment which is created in a private VPC and has no access to the internet. The application is used for monitoring and logging, and other VPC applications need to send requests to the internal application. For security purposes, the traffic to the Elastic Beanstalk service should stay inside the Amazon network without exposure to the internet. How would you achieve this requirement?

Answer options:

A.Create a NAT Gateway in the public subnet. Modify the route table to connect other applications and the Elastic Beanstalk service through the NAT Gateway.
B.Configure an interface VPC endpoint for the Elastic Beanstalk service. Requests are sent to Elastic Beanstalk through AWS PrivateLink.
C.Disable DNS name in the Elastic Beanstalk environment to disallow the connections through the public endpoint of Elastic Beanstalk.
D.Nothing needs to be done as Elastic Beanstalk provides the private DNS “com.amazonaws.region.elasticbeanstalk” by default.

Correct Answer: B
Option A is incorrect because NAT Gateway is used to provide internet connectivity to private subnets. So, there is no need for NAT Gateway for the above-mentioned requirement.
Option B is CORRECT because the traffic to Elastic Beanstalk needs to be private without being exposed to the internet. This requirement can be achieved by the VPC endpoint service powered by AWS PrivateLink. With PrivateLink, users do not need to configure other connectivity services such as VPN connection or AWS Direct Connect. Check the following snapshot for how to create the VPC endpoint:
Option C is incorrect because disabling the DNS name is not a feasible option in an Elastic Beanstalk environment.
Option D is incorrect because, in order to send other applications’ traffic to the Elastic Beanstalk service, something must be used, i.e., VPC endpoint.
References:
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc.html
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.html