There are three core requirements: reduce/manage active database connections, keep communication private without internet exposure, and scale to many consumer accounts over time.
To manage and pool database connections to an Amazon RDS for PostgreSQL DB instance, the AWS-managed service designed for this purpose is Amazon RDS Proxy. RDS Proxy maintains a pool of database connections and multiplexes application connections onto fewer database connections. This reduces connection overhead on the database, improves resiliency during failovers, and helps control the number of active connections that reach the DB instance.
Next, the connectivity must be private across accounts and scalable as more consumer accounts are added. AWS PrivateLink provides scalable, private connectivity between VPCs and services across accounts without requiring VPC peering, transitive routing, or exposing traffic to the public internet. With PrivateLink, the database account can publish an endpoint service backed by a Network Load Balancer, and consumer accounts create interface endpoints in their VPCs to connect privately to that service. This is operationally scalable because adding new consumer accounts does not require managing a growing mesh of VPC peering relationships or complex route propagation; each consumer adds an interface endpoint.
Option B is the only option that addresses connection management by introducing RDS Proxy and uses PrivateLink to provide private, cross-account, scalable connectivity. The proxy endpoint being in private subnets aligns with the requirement that traffic stays private.
Option A is incorrect because a NAT gateway in a public subnet is used for outbound internet access from private subnets. It is not needed for private cross-account database access and introduces unnecessary public subnet components. Also, NAT gateways do not manage database connections. Transit gateway can provide private connectivity, but it does not address connection pooling, and the NAT gateway component is not appropriate for the stated requirement of avoiding internet exposure.
Option C is incorrect because an Application Load Balancer is not used to proxy raw PostgreSQL database traffic. PostgreSQL uses TCP, and ALB is primarily for HTTP/HTTPS and higher-layer routing. Also, VPC peering to each consumer VPC does not scale well as the number of accounts grows, and it creates operational overhead to manage many peering connections and route tables. It also does not manage DB connections.
Option D is incorrect because it uses VPC peering and NAT gateway. NAT gateway is again not the correct mechanism for private database access and does not provide connection pooling. VPC peering per consumer is not scalable and increases operational overhead.
Therefore, using RDS Proxy to manage connections and AWS PrivateLink (via an NLB-backed endpoint service) to provide private, scalable cross-account access is the correct solution.
[References:AWS documentation on Amazon RDS Proxy for connection pooling and managing database connections for Amazon RDS databases.AWS documentation on AWS PrivateLink for private, scalable cross-account access to services through interface VPC endpoints and endpoint services backed by Network Load Balancers.AWS guidance contrasting PrivateLink with VPC peering for scalability and operational simplicity in multi-account, multi-VPC architectures., , ]
