A private service endpoint is the most appropriate and secure solution for this scenario. This technology, often known as AWS PrivateLink, Azure Private Link, or Google Private Service Connect, is specifically designed for SaaS providers to offer services to customers without exposing them to the public internet. The provider creates an endpoint service, and the customer creates a corresponding interface endpoint within their own VPC. This establishes a secure, private connection where traffic to the API originates from a private IP within the customer's VPC and never traverses the internet, directly fulfilling the core requirement in a scalable, one-to-many model.

A. A transit gateway that connects the API to the customer's VPC

A transit gateway is a network hub for interconnecting many VPCs and on-premises networks, making it overly complex and designed for network routing rather than secure, one-way service exposure.

B. Firewall rules allowing access to the API endpoint from the customer's VPC

Firewall rules only control traffic; they do not establish connectivity. This option implies the API has a public IP, which violates the requirement that it "should not be exposed to the internet."

C. A VPC peering connection from the API VPC to the customer's VPC

VPC peering is a 1:1 connection that is not scalable for a SaaS model with many customers. It also introduces management overhead and risks of overlapping IP address ranges.

1. Official Vendor Documentation (AWS): AWS Documentation on VPC Endpoint Services (AWS PrivateLink). The documentation states

"You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service... Other AWS principals can create a connection from their VPC to your endpoint service using an interface VPC endpoint. You are the service provider

and the principals that create connections to your service are service consumers." This directly maps to the SaaS provider/customer scenario.

Source: AWS Documentation

"VPC Endpoint Services (AWS PrivateLink)

" Section: "Share your services through AWS PrivateLink."

2. Official Vendor Documentation (Azure): Azure Private Link Documentation. The documentation clarifies its purpose: "Azure Private Link provides private connectivity from a virtual network to Azure platform as a service (PaaS)

customer-owned

or Microsoft partner services." This highlights its design for secure

private access to services

including those from third-party providers.

Source: Microsoft Azure Documentation

"What is Azure Private Link?

" Overview section.

3. Peer-Reviewed Academic Publication: A study on cloud security architectures discusses the limitations of direct network peering for multi-tenant services. The authors note that direct peering (like VPC Peering) creates a "bilateral trust relationship" which is difficult to manage at scale and can introduce security risks

contrasting with service-oriented private connectivity models.

Source: P. Mishra

et al.

"A Survey on Virtual Private Cloud

" International Journal of Computer Applications

vol. 178

no. 2

pp. 6-10

2017. Section 4.B

"VPC Peering." (This source explains the limitations of the peering model

supporting why option C is not the best choice). DOI: 10.5120/ijca2017915781