AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company has applications hosted on Amazon EC2 instances with IPv6 addresses. The applications must initiate communications with other external applications using the internet. However the company's security policy states that any external service cannot initiate a connection to the EC2 instances.

What should a solutions architect recommend to resolve this issue?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create a NAT gateway and make it the destination of the subnet's route table

Create an internet gateway and make it the destination of the subnet's route table

Create a virtual private gateway and make it the destination of the subnet's route table

Create an egress-only internet gateway and make it the destination of the subnet's route table

Explanation:

Explanation

Correct Answer: D - Create an egress-only internet gateway and make it the destination of the subnet's route table

Why this is correct:

IPv6 Requirement: The question specifically mentions EC2 instances with IPv6 addresses. For IPv6 traffic, you cannot use a NAT gateway (which is designed for IPv4).
Egress-Only Internet Gateway (EIGW): This is the AWS service specifically designed for IPv6 environments where you need:
- Outbound internet connectivity for IPv6 traffic
- To prevent inbound connections initiated from the internet
Security Policy Compliance: The security policy states that external services cannot initiate connections to EC2 instances. An EIGW allows outbound traffic but blocks inbound traffic initiated from the internet, which perfectly matches the requirement.

Why other options are incorrect:

A. NAT Gateway:

Designed for IPv4 traffic only
Not compatible with IPv6 addresses
While it provides outbound-only connectivity for IPv4, it doesn't work for IPv6

B. Internet Gateway:

Allows both inbound and outbound traffic
Would violate the security policy since external services could initiate connections to EC2 instances
Provides two-way communication, not one-way outbound-only

C. Virtual Private Gateway:

Used for VPN connections to on-premises networks
Not designed for internet connectivity
Would not provide access to external applications on the internet

Key AWS Concepts:

Egress-Only Internet Gateway: Similar to a NAT gateway but for IPv6 traffic. It allows instances in a VPC to initiate outbound IPv6 traffic to the internet while preventing the internet from initiating inbound IPv6 connections to those instances.
Route Table Configuration: You need to add a route with destination ::/0 (all IPv6 traffic) pointing to the EIGW in the subnet's route table.
IPv6 vs IPv4: Remember that NAT gateways are for IPv4, while Egress-Only Internet Gateways are for IPv6 when you need outbound-only connectivity.

Implementation Steps:

Create an Egress-Only Internet Gateway
Attach it to the VPC
Update the subnet's route table with a route: ::/0 → eigw-id
Ensure EC2 instances have IPv6 addresses and are in subnets with this route table configuration

Powered ByGPT-5.2

Comments

Loading comments...