AWS PrivateLink is the best option for this use case. It enables private connectivity between VPCs without exposing traffic to the public internet. To use it, the provider creates a VPC endpoint service (an interface endpoint), and the consumer (the company) connects using a VPC endpoint in their own VPC. This setup restricts access only to the specific service, allows communication to be initiated only by the consumer, and ensures the entire connection stays private.

Why the other options are incorrect:

VPC peering allows full bidirectional traffic between VPCs, not limited to a single service. It does not enforce service-specific access and does not restrict traffic initiation direction, which violates the security requirement.
NAT gateways are used to allow outbound internet access from private subnets, but they still route traffic over the public internet, which does not meet the requirement for a private connection.
Virtual private gateways are part of VPN or AWS Direct Connect setups, not PrivateLink. They are used for hybrid connectivity, not for restricting VPC-to-VPC access to specific services via PrivateLink.

Full AWS Practitioner Certification Question