Answer-first summary for fast verification
Answer: Create an egress-only internet gateway and make it the destination of the subnet's route table
## Explanation **Correct Answer: D - Create an egress-only internet gateway and make it the destination of the subnet's route table** ### Why this is correct: 1. **IPv6 Requirement**: The question specifically mentions EC2 instances with IPv6 addresses. For IPv6 traffic, you cannot use a NAT gateway (which is designed for IPv4). 2. **Egress-Only Internet Gateway (EIGW)**: This is the AWS service specifically designed for IPv6 environments where you need: - Outbound internet connectivity for IPv6 traffic - To prevent inbound connections initiated from the internet 3. **Security Policy Compliance**: The security policy states that external services cannot initiate connections to EC2 instances. An EIGW allows outbound traffic but blocks inbound traffic initiated from the internet, which perfectly matches the requirement. ### Why other options are incorrect: **A. NAT Gateway**: - Designed for IPv4 traffic only - Not compatible with IPv6 addresses - While it provides outbound-only connectivity for IPv4, it doesn't work for IPv6 **B. Internet Gateway**: - Allows both inbound and outbound traffic - Would violate the security policy since external services could initiate connections to EC2 instances - Provides two-way communication, not one-way outbound-only **C. Virtual Private Gateway**: - Used for VPN connections to on-premises networks - Not designed for internet connectivity - Would not provide access to external applications on the internet ### Key AWS Concepts: - **Egress-Only Internet Gateway**: Similar to a NAT gateway but for IPv6 traffic. It allows instances in a VPC to initiate outbound IPv6 traffic to the internet while preventing the internet from initiating inbound IPv6 connections to those instances. - **Route Table Configuration**: You need to add a route with destination `::/0` (all IPv6 traffic) pointing to the EIGW in the subnet's route table. - **IPv6 vs IPv4**: Remember that NAT gateways are for IPv4, while Egress-Only Internet Gateways are for IPv6 when you need outbound-only connectivity. ### Implementation Steps: 1. Create an Egress-Only Internet Gateway 2. Attach it to the VPC 3. Update the subnet's route table with a route: `::/0 → eigw-id` 4. Ensure EC2 instances have IPv6 addresses and are in subnets with this route table configuration
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must initiate communications with other external applications using the internet. However the company's security policy states that any external service cannot initiate a connection to the EC2 instances.
What should a solutions architect recommend to resolve this issue?
A
Create a NAT gateway and make it the destination of the subnet's route table
B
Create an internet gateway and make it the destination of the subnet's route table
C
Create a virtual private gateway and make it the destination of the subnet's route table
D
Create an egress-only internet gateway and make it the destination of the subnet's route table