Q35 — AWS ANS-C01 Ch.1
Question 35 of 100 | ← Chapter 1
A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that Includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service Provider’s API requires the use of IPv6.A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to Permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer Turns on IPv6 in the VPC and in the private subnets. Which solution will meet these requirements?
- A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT Gateway.
- B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT Instance.
- C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only Internet gateway. ✓
- D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group With the egress-only internet gateway.
Correct Answer: C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only Internet gateway.
Explanation
AWS的IPv6配置中,egress-only internet gateway用于允许私有子网中的实例发起IPv6出站流量,同时阻止来自互联网的入站连接。这与IPv4的NAT网关功能类似,但专门针对IPv6场景。文档指出,egress-only internet gateway仅处理出站流量,无需配置额外的安全组规则来限制入站。选项C通过正确配置路由表将IPv6流量指向该网关,满足仅允许服务器主动发起连接的要求;其他选项涉及不必要的组件如NAT网关或错误的安全组配置。