AWS Certified SysOps Administrator – Associate (legacy) — Question 271

A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?

Answer options

• A. Allow Inbound traffic on port 22 from the user's network
• B. The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
• C. The user can connect to a instance in a private subnet using the NAT instance
• D. Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the Internet

Correct answer: A

Explanation

Since the VPC is securely connected to the user's on-premises network via a VPN connection, traffic can route directly between them without traversing the public internet. Therefore, the security group of the private instance simply needs an inbound rule allowing port 22 (SSH) from the user's local network range. Other options, such as using EC2 Classic, routing SSH through a NAT instance, or exposing port 80/22 to the public internet, are either insecure or architecturally invalid.