AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An operations engineer created an IPv6-only private subnet in an Amazon VPC. EC2 instances in the subnet must download operating-system updates from public IPv6 repositories on the internet, but company policy forbids the instances from accepting unsolicited inbound connections. Which action satisfies these requirements with the least operational overhead?
Attach an internet gateway to the VPC and rely on outbound-only rules in the subnet's security group.
Create an egress-only internet gateway for the VPC and add a ::/0 route to it in the subnet's route table.
Provision a NAT gateway in a public subnet and add a ::/0 route to the NAT gateway.
Create an interface VPC endpoint for each public repository and update the subnet's route table.
An egress-only internet gateway provides one-way outbound connectivity for IPv6 traffic. By adding a ::/0 route that targets the egress-only internet gateway, instances can initiate connections to any IPv6 destination on the internet, and the gateway automatically blocks all unsolicited inbound traffic.
A NAT gateway performs NAT64, letting IPv6-only subnets reach IPv4 destinations, but it cannot forward traffic to IPv6 endpoints and incurs hourly charges, so it does not meet the requirement. Attaching a full internet gateway enables bidirectional IPv6 connectivity; relying solely on security group rules still exposes a larger attack surface than necessary. Interface VPC endpoints supply private access only to specific AWS services and cannot reach arbitrary external repositories. Therefore, creating an egress-only internet gateway and updating the subnet's route table is the most efficient and secure solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an egress-only internet gateway?
Open an interactive chat with Bash
Why doesn't a NAT gateway work for IPv6-only traffic?
Open an interactive chat with Bash
What does the ::/0 route signify in the subnet's route table?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .