AWS Certified Solutions Architect – Professional (SAP-C02) — Question 54

An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a firewall. The third party accepts only one public CIDR block in each client’s allow list.

The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind an Application Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 instances are located in private subnets. NAT gateways provide internet access to the private subnets.

How should a solutions architect ensure that the web application can continue to call the third-party API after the migration?

Answer options

• A. Associate a block of customer-owned public IP addresses to the VPC. Enable public IP addressing for public subnets in the VPC.
• B. Register a block of customer-owned public IP addresses in the AWS account. Create Elastic IP addresses from the address block and assign them to the NAT gateways in the VPC.
• C. Create Elastic IP addresses from the block of customer-owned IP addresses. Assign the static Elastic IP addresses to the ALB.
• D. Register a block of customer-owned public IP addresses in the AWS account. Set up AWS Global Accelerator to use Elastic IP addresses from the address block. Set the ALB as the accelerator endpoint.

Correct answer: B

Explanation

The correct answer is B because creating Elastic IP addresses from customer-owned public IP addresses and assigning them to the NAT gateways allows outbound traffic from the private subnet to the third-party API while maintaining the required IP address on the client allow list. Option A does not ensure the private instances can call the API, C only addresses the ALB and does not provide internet access for private instances, and D introduces additional complexity without directly addressing the requirement.