Answer-first summary for fast verification
Answer: Create an egress-only Internet gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.
To meet the requirements of enabling IPv6 connectivity for the existing workload in a private subnet without permitting IPv6 traffic from the public internet, the correct solution involves using an egress-only internet gateway. An egress-only internet gateway allows outbound IPv6 traffic from instances in your VPC to the internet, but prevents the internet from initiating an IPv6 connection with your instances. This setup ensures that the company's servers can initiate all IPv6 connectivity, as required. Option C correctly suggests creating an egress-only internet gateway and adding a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway. This solution does not involve creating an internet gateway or a NAT gateway/instance, which are not necessary for this specific requirement and could potentially allow unwanted inbound traffic if not configured correctly. Option D is incorrect because configuring a security group to deny all inbound traffic and associating it with the egress-only internet gateway is not a standard or effective method for controlling IPv6 traffic in this context. The egress-only internet gateway inherently prevents inbound traffic from the internet, making the additional security group configuration unnecessary.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A banking company operates its public mobile banking stack on AWS within a VPC containing private and public subnets, using IPv4 networking without IPv6 support. The company must integrate a third-party API that requires IPv6 connectivity. The network engineer enables IPv6 in the VPC and private subnets but must ensure IPv6 traffic is not permitted from the public internet, with all IPv6 connectivity initiated by the company's servers. What solution meets these requirements?
A
Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.
B
Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.
C
Create an egress-only Internet gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.
D
Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.