AWS Certified Solutions Architect – Professional — Question 408

An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a firewall. The third party accepts only one public CIDR block in each client's allow list.
The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind an Application
Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 instances are located in private subnets. NAT gateways provide internet access to the private subnets.
How should a solutions architect ensure that the web application can continue to call the third-party API after the migration?

Answer options

• A. Associate a block of customer-owned public IP addresses to the VPC. Enable public IP addressing for public subnets in the VPC.
• B. Register a block of customer-owned public IP addresses in the AWS account. Create Elastic IP addresses from the address block and assign them to the NAT gateways in the VPC.
• C. Create Elastic IP addresses from the block of customer-owned IP addresses. Assign the static Elastic IP addresses to the ALB.
• D. Register a block of customer-owned public IP addresses in the AWS account. Set up AWS Global Accelerator to use Elastic IP addresses from the address block. Set the ALB as the accelerator endpoint.

Correct answer: B

Explanation

Because the Amazon EC2 instances reside in private subnets, their outbound internet traffic is routed through the NAT gateways. By importing the customer's IP block (BYOIP) and assigning those specific Elastic IP addresses to the NAT gateways, all outgoing API calls will originate from the allowed CIDR block. Other options are incorrect because ALBs do not support direct Elastic IP assignment, and AWS Global Accelerator primarily manages inbound traffic routing rather than outbound NAT gateway traffic.