A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.
This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application's EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.
What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?

A. Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance.

B. Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink.

C. Add a managed NAT gateway to the VPC. Update the custom route table with a new route to the gateway.

D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.








 

Suggested Answer: D

Community Answer: D




This question is in SCS-C01 AWS Certified Security – Specialty Exam
For getting AWS Certified Security – Specialty Certificate


Disclaimers:
The website is not related to, affiliated with, endorsed or authorized by Amazon.
Trademarks, certification & product names are used for reference only and belong to Amazon.
The website does not contain actual questions and answers from Amazon's Certification Exam.