AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question

A company created a VPC with two private subnets that have only IPv6 CIDR blocks. EC2 instances in these subnets must download operating-system updates from public repositories on the internet, but company policy forbids any unsolicited inbound connections from the internet to those instances. Which solution satisfies the requirements in the most cost-effective way?

Create an egress-only internet gateway, attach it to the VPC, and add a ::/0 route in each subnet's route table that targets the gateway.
Create an interface VPC endpoint for AWS Systems Manager and block all other outbound IPv6 traffic with network ACLs.
Create a NAT gateway in a public subnet, enable DNS64 for the private subnets, and add a 64:ff9b::/96 route in each subnet's route table that targets the NAT gateway.
Attach a standard internet gateway to the VPC and rely on outbound-only rules in each subnet's security group to block inbound traffic.

Report Issue

Answer Description

An egress-only internet gateway (EIGW) is purpose-built for outbound-only IPv6 connectivity. It is stateful, so return traffic is automatically allowed while unsolicited inbound IPv6 packets are dropped, meeting the security requirement without extra rules. EIGWs have no hourly charge, so they are cheaper than alternatives. A NAT gateway could also work by using NAT64 together with DNS64, but it adds hourly and data-processing costs. A standard internet gateway would expose the instances to inbound IPv6 traffic unless every subnet or instance is locked down with security groups; the policy prefers the gateway itself to block such traffic. Interface VPC endpoints provide private access to specific AWS services only and cannot reach public package mirrors.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.