AWS Certified Solutions Architect – Professional — Question 847

A news company wants to implement an AWS Lambda function that calls an external API to receive new press releases every 10 minutes. The API provider is planning to use an IP address allow list to protect the API, so the news company needs to provide any public IP addresses that access the API. The company's current architecture includes a VPC with an internet gateway and a NAT gateway. A solutions architect must implement a static IP address for the Lambda function.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

Answer options

• A. Use the Elastic IP address that is associated with the NAT gateway for the IP address allow list.
• B. Assign an Elastic IP address to the Lambda function. Use the Lambda function's Elastic IP address for the IP address allow list.
• C. Configure the Lambda function to launch in the private subnet of the VPC.
• D. Configure the Lambda function to launch in the public subnet of the VPC.
• E. Create a transit gateway. Attach the VPC and the Lambda function to the transit gateway.

Correct answer: A, C

Explanation

To give an AWS Lambda function a static public IP address, it must be deployed within a private subnet of a VPC (Option C) and route its outbound internet traffic through a NAT gateway. Because the NAT gateway is associated with a static Elastic IP address, all external requests from the Lambda function will originate from this specific IP, which can then be safely allowlisted by the API provider (Option A). Assigning an Elastic IP directly to a Lambda function is not supported, and launching Lambda functions in a public subnet does not automatically grant them public IPs.