AWS Certified Solutions Architect – Associate (SAA-C02) — Question 127

A company has an Amazon EC2 instance running on a private subnet that needs to access a public website to download patches and updates. The company does not want external websites to see the EC2 instance IP address or initiate connections to it.
How can a solutions architect achieve this objective?

Answer options

• A. Create a site-to-site VPN connection between the private subnet and the network in which the public site is deployed.
• B. Create a NAT gateway in a public subnet. Route outbound traffic from the private subnet through the NAT gateway.
• C. Create a network ACL for the private subnet where the EC2 instance deployed only allows access from the IP address range of the public website.
• D. Create a security group that only allows connections from the IP address range of the public website. Attach the security group to the EC2 instance.

Correct answer: B

Explanation

The correct answer, B, involves creating a NAT gateway in a public subnet, which allows the EC2 instance in the private subnet to access the internet without exposing its IP address. Option A is incorrect because a VPN connection is not necessary for this scenario. Option C does not effectively prevent outgoing traffic from being initiated by the EC2 instance, and option D would not prevent incoming connections from external sources.