A security architect is reviewing an AWS environment. Applications in VPC A need to access a third-party SaaS service hosted in VPC B (owned by a different AWS account). The SaaS provider requires that traffic must not traverse the public internet. The SaaS service must be highly available, and the consumer (VPC A) must not have access to any other resources in VPC B. Which solution is the MOST secure and scalable?

The SaaS provider creates an AWS PrivateLink endpoint service backed by a Network Load Balancer in VPC B. The consumer creates an interface VPC endpoint in VPC A.

Set up VPC peering between VPC A and VPC B. Update route tables to direct traffic to the SaaS application instances.

Deploy an AWS Transit Gateway and attach both VPCs. Use Transit Gateway route tables to restrict access to the specific SaaS application subnets.

Create a Site-to-Site VPN connection between Virtual Private Gateways attached to VPC A and VPC B.