AWS Certified Solutions Architect – Associate (SAA-C02) — Question 327

A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must initiate communications with other external applications using the internet. However, the company's security policy states that any external service cannot initiate a connection to the EC2 instances. What should a solutions architect recommend to resolve this issue?

Answer options

• A. Create a NAT gateway and make it the destination of the subnet's route table.
• B. Create an internet gateway and make it the destination of the subnet's route table.
• C. Create a virtual private gateway and make it the destination of the subnet's route table.
• D. Create an egress-only internet gateway and make it the destination of the subnet's route table.

Correct answer: D

Explanation

An egress-only internet gateway is designed specifically for IPv6 traffic to allow outbound-only communication to the internet while preventing external entities from initiating connections back to the Amazon EC2 instances. A NAT gateway is used for IPv4 traffic and does not support IPv6, while an internet gateway would allow bidirectional traffic, violating the security policy. A virtual private gateway is used for VPN connections, not direct internet access.