A company has Amazon EC2 instances deployed in private subnets within a VPC. These instances must initiate all outbound requests leaving the VPC, including communication with the company's on-premises data center via an AWS Direct Connect connection. No external resources should be permitted to establish direct communication with the EC2 instances.

The on-premises data center's customer gateway uses a stateful firewall device to filter incoming and outgoing traffic to and from multiple VPCs. The company also wants to implement a single IP match rule to allow all traffic from the EC2 instances to the data center using a single IP address.

Which solution meets these requirements with the MINIMAL operational overhead?

Exam-Like

Create a VPN connection over the Direct Connect connection by using the on-premises firewall. Use the firewall to block all traffic from on premises to AWS. Allow a stateful connection from the EC2 instances to initiate the requests.

28.6%

Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances. Allow a stateful connection if the EC2 instances in the VPC initiate the traffic.

0.0%

Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed. Specify the NAT gateway type as private. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT gateway.

71.4%

Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed. Configure the on-premises firewall to allow connections from the IP address that is assigned to the NAT instance.

0.0%

AWS Certified Advanced Networking - Specialty

Get started today

Comments