AWS Certified SysOps Administrator – Associate — Question 444

A SysOps administrator is responsible for managing a fleet of Amazon EC2 instances. These EC2 instances upload build artifacts to a third-party service. The third-party service recently implemented a strict IP allow list that requires all build uploads to come from a single IP address.
What change should the systems administrator make to the existing build fleet to comply with this new requirement?

Answer options

• A. Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service.
• B. Move all of the EC2 instances behind an internet gateway and provide the gateway IP address to the service.
• C. Move all of the EC2 instances into a single Availability Zone and provide the Availability Zone IP address to the service.
• D. Move all of the EC2 instances to a peered VPC and provide the VPC IP address to the service.

Correct answer: A

Explanation

A NAT gateway allows resources in a private subnet to connect to the internet using a single, static Elastic IP address, which can be easily whitelisted by the third-party service. Internet gateways do not provide a single outbound IP address for multiple instances, as each instance would require its own public IP. Neither Availability Zones nor VPCs have a single public IP address that can be used for outbound internet traffic from instances.