AWS Certified Solutions Architect – Associate (SAA-C03) — Question 428

A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must initiate communications with other external applications using the internet. However the company’s security policy states that any external service cannot initiate a connection to the EC2 instances.

What should a solutions architect recommend to resolve this issue?

Answer options

• A. Create a NAT gateway and make it the destination of the subnet's route table
• B. Create an internet gateway and make it the destination of the subnet's route table
• C. Create a virtual private gateway and make it the destination of the subnet's route table
• D. Create an egress-only internet gateway and make it the destination of the subnet's route table

Correct answer: D

Explanation

An egress-only internet gateway is specifically designed for IPv6 traffic to allow outbound communication from Amazon EC2 instances to the internet while preventing external resources from initiating connections back to those instances. NAT gateways are used for IPv4 traffic and do not support IPv6. An internet gateway would allow bi-directional traffic, failing the security requirement, while a virtual private gateway is used for VPN/Direct Connect rather than direct internet egress.