AWS Certified Solutions Architect – Associate (SAA-C02) — Question 427

An ecommerce company is creating an application that requires a connection to a third-party payment service to process payments. The payment service needs to explicitly allow the public IP address of the server that is making the payment request. However, the company's security policies do not allow any server to be exposed directly to the public internet.
Which solution will meet these requirements?

Answer options

• A. Provision an Elastic IP address. Host the application servers on Amazon EC2 instances in a private subnet. Assign the public IP address to the application servers.
• B. Create a NAT gateway in a public subnet. Host the application servers on Amazon EC2 instances in a private subnet. Route payment requests through the NAT gateway.
• C. Deploy an Application Load Balancer (ALB). Host the application servers on Amazon EC2 instances in a private subnet. Route the payment requests through the ALB.
• D. Set up an AWS Client VPN connection to the payment service. Host the application servers on Amazon EC2 instances in a private subnet. Route the payment requests through the VPN.

Correct answer: B

Explanation

A NAT gateway placed in a public subnet allows Amazon EC2 instances in a private subnet to make outbound connections to the internet using the NAT gateway's static Elastic IP address, which can then be whitelisted by the payment service. This keeps the application servers securely isolated from inbound internet traffic, satisfying the company's security policies. Other options like direct Elastic IP assignment violate the security policy, while an Application Load Balancer is designed for inbound traffic routing rather than outbound internet requests.