AWS Certified Solutions Architect – Professional — Question 867

A company is adding a new approved external vendor that only supports IPv6 connectivity. The company's backend systems sit in the private subnet of an
Amazon VPC. The company uses a NAT gateway to allow these systems to communicate with external vendors over IPv4. Company policy requires systems that communicate with external vendors to use a security group that limits access to only approved external vendors. The virtual private cloud (VPC) uses the default network ACL.
The Systems Operator successfully assigns IPv6 addresses to each of the backend systems. The Systems Operator also updates the outbound security group to include the IPv6 CIDR of the external vendor (destination). The systems within the VPC are able to ping one another successfully over IPv6. However, these systems are unable to communicate with the external vendor.
What changes are required to enable communication with the external vendor?

Answer options

• A. Create an IPv6 NAT instance. Add a route for destination 0.0.0.0/0 pointing to the NAT instance.
• B. Enable IPv6 on the NAT gateway. Add a route for destination ::/0 pointing to the NAT gateway.
• C. Enable IPv6 on the internet gateway. Add a route for destination 0.0.0.0/0 pointing to the IGW.
• D. Create an egress-only internet gateway. Add a route for destination ::/0 pointing to the gateway.

Correct answer: D

Explanation

AWS NAT gateways do not support IPv6 traffic. To allow instances in a private subnet to initiate outbound IPv6 traffic while blocking inbound connection attempts from the internet, an egress-only internet gateway must be deployed. Adding a route for ::/0 pointing to the egress-only internet gateway completes the configuration necessary for outbound IPv6 communication.