AWS Certified Solutions Architect – Professional — Question 466

A web company is looking to implement an external payment service into their highly available application deployed in a VPC Their application EC2 instances are behind a public facing ELB. Auto scaling is used to add additional instances as traffic increases under normal load the application runs 2 instances in the Auto
Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet which requires whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an
API.
How should they architect their solution?

Answer options

• A. Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the MAT instances.
• B. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
• C. Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB.
• D. Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP address to the payment validation whitelist API.

Correct answer: A

Explanation

Using two highly available NAT instances with Elastic IPs ensures that all outbound payment traffic originates from exactly two static, predictable public IP addresses, which easily fits within the third-party service's limit of four whitelisted IPs. Option D is incorrect because scaling up to six instances would exceed the limit of four whitelisted IPs. Options B and C are incorrect because Internet Gateways do not have a single static public IP for outbound routing, and ELB IP addresses are dynamic and designed for inbound traffic rather than outbound initiation.