AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 171

Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot. You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway.
What configuration change should you make to ensure that these instances can reach the patch server?

Answer options

• A. Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway.
• B. Configure an outbound rule on the application server instance security group for the Git repository.
• C. Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
• D. Configure an inbound rule on the application server instance security group for the Git repository.

Correct answer: B

Explanation

The correct answer is B because configuring an outbound rule on the application server instance's security group allows traffic to flow from the instances to the Git repository through the NAT gateway. The other options are incorrect as they either involve unnecessary public IP assignments (A), do not address the outbound traffic needs (C), or focus on inbound rules which are not relevant for accessing an external resource (D).