AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 289

A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH.
How should the user define the security rule for SSH?

Answer options

• A. The user can connect to a instance in a private subnet using the NAT instance
• B. The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
• C. Allow Inbound traffic on port 22 from the user's network
• D. Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet

Correct answer: C

Explanation

Since the VPC is connected to the user's network via a secure VPN connection, traffic can flow directly between the on-premises network and the private subnet. Allowing inbound traffic on port 22 from the user's local network range enables secure SSH access without exposing the instance to the public internet. Other options are incorrect because a NAT instance only handles outbound traffic, EC2 Classic is legacy and unnecessary, and private subnets cannot accept direct inbound connections from the internet.