Question #918
A company operates an Amazon EC2 instance within a private subnet. The instance requires access to the internet to download security patches but must remain inaccessible from the internet. Which AWS service should be used to fulfill these requirements?
VPC endpoint
NAT gateway
AWS PrivateLink
VPC peering
Explanation
The correct answer is B. NAT gateway. Here's why:
- NAT Gateway: Enables instances in a private subnet to connect to the internet (e.g., to download patches) by routing traffic through a public subnet. It allows outbound traffic but blocks unsolicited inbound traffic, ensuring the instance remains inaccessible from the internet.
- Why other options are incorrect:
- A. VPC Endpoint: Provides private connectivity to AWS services (e.g., S3) without internet access, but does not enable general internet access.
- C. AWS PrivateLink: Allows secure access to services hosted on AWS or on-premises via private endpoints, but does not provide internet access.
- D. VPC Peering: Connects two VPCs for private communication but does not enable internet access.
Key Points:
- Use a NAT gateway for outbound-only internet access in private subnets.
- NAT gateways require a public subnet with an internet gateway.
- Private subnets cannot have direct internet ingress (no public IPs).
Answer
The correct answer is: B