AWS Certified Advanced Networking - Specialty
Get started today
Ultimate access to all questions.
Ultimate access to all questions.
A company has Amazon EC2 instances deployed in private subnets within a VPC. These instances must initiate all outbound requests leaving the VPC, including communication with the company's on-premises data center via an AWS Direct Connect connection. No external resources should be permitted to establish direct communication with the EC2 instances.
The on-premises data center's customer gateway uses a stateful firewall device to filter incoming and outgoing traffic to and from multiple VPCs. The company also wants to implement a single IP match rule to allow all traffic from the EC2 instances to the data center using a single IP address.
Which solution meets these requirements with the MINIMAL operational overhead?
Explanation:
The question requires a solution that allows EC2 instances in private subnets to initiate outbound requests to an on-premises data center over AWS Direct Connect, without allowing inbound connections from outside the VPC directly to the EC2 instances. The solution must also minimize operational overhead and use a single IP match rule for all communications from the EC2 instances to the data center. Option C is the correct choice because deploying a NAT gateway in a private subnet allows the EC2 instances to initiate outbound connections to the on-premises data center. The NAT gateway provides a single, static IP address that can be used in the on-premises firewall's IP match rule, simplifying the configuration and reducing operational overhead. Unlike a NAT instance (Option D), a NAT gateway is a managed service by AWS, which further reduces operational overhead. Options A and B involve complex configurations with the on-premises firewall and do not provide a straightforward solution for using a single IP match rule.