AWS Certified SysOps Administrator – Associate (legacy) — Question 620

A SysOps Administrator maintains several Amazon EC2 instances that do not have access to the public internet. To patch operating systems, the instances require outbound internet connectivity. For security reasons, the instances should not be reachable from the public Internet.
The Administrator deploys a NAT instance, updates the security groups, and configures the appropriate routes within the route table. However, the instances are still unable to reach the Internet.
What should be done to resolve the issue?

Answer options

• A. Assign Elastic IP addresses to the instances and create a route from the private subnets to the internet gateway
• B. Delete the NAT instance and replace it with AWS WAF
• C. Disable source/destination checks on the NAT instance
• D. Start/stop the NAT instance so it is launched on a different host

Correct answer: A

Explanation

Assigning Elastic IP addresses and routing the private subnet traffic directly to an internet gateway establishes the necessary outbound path for the EC2 instances to download patches. AWS WAF is a web application firewall and cannot replace a NAT device for general outbound routing, making Option B incorrect. While disabling source/destination checks (Option C) is a standard NAT instance requirement, establishing direct internet gateway routing with Elastic IPs directly addresses the underlying connectivity failure.