Answer: Configure a private NAT gateway in the subnets for each Availability Zone that the application runs in. Configure the application to target the NAT gateways instead of the data service directly. Update the data service's allow list to include the IP addresses of the NAT gateways.

The question revolves around ensuring that an application, which is being migrated to AWS and is set to scale automatically, can continue to access a third-party vendor's data service hosted at the company’s data center. The data service uses a static ACL that allows only specific client IP addresses. The challenge is to design a solution that requires the least amount of ongoing changes to the vendor's allow list as the application scales. Option A suggests using a private NAT gateway in each subnet for the application's Availability Zones. This approach centralizes outbound traffic through the NAT gateways, allowing the vendor's allow list to be updated just once with the NAT gateways' IP addresses. This solution is scalable and requires minimal ongoing changes to the allow list, as the NAT gateways' IP addresses remain constant regardless of the number of EC2 instances. Option B involves using elastic network interfaces (ENIs) associated with the Auto Scaling group. However, this approach would require frequent updates to the allow list as the application scales and ENIs are added or removed. Option C is similar to B but adds unnecessary complexity by introducing additional EC2 instances as intermediaries, which does not solve the scalability issue. Option D proposes using an Application Load Balancer (ALB) to route traffic to the data service. While ALBs can handle scaling, their IP addresses can change, leading to the need for frequent updates to the allow list. Therefore, Option A is the most efficient and scalable solution that meets the requirement with the least amount of ongoing change to the vendor's allow list.

Author: LeetQuiz Editorial Team