AWS Certified Security – Specialty — Question 170

A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.
This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application's EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.
What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?

Answer options

• A. Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance.
• B. Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink.
• C. Add a managed NAT gateway to the VPC. Update the custom route table with a new route to the gateway.
• D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.

Correct answer: D

Explanation

The correct answer is D because an egress-only internet gateway allows outbound IPv6 traffic while preventing inbound traffic from the internet to the instances in the private subnet. Options A and C involve resources that do not prevent direct exposure to the internet, while option B would not meet the requirement since AWS PrivateLink is not designed for this specific scenario.