Question #585
A company is migrating their on-premises application to AWS. The application, hosted on EC2 instances behind an Internet-facing Network Load Balancer (NLB), must access a third-party API that only permits a single public CIDR block. The EC2 instances are in private subnets and use NAT gateways for internet access. The NLB is in public subnets.
How can a solutions architect ensure the application can access the API after migration?
Associate a customer-owned public IP block with the VPC and enable public IP assignment for instances in private subnets.
Register a customer-owned IP block, create Elastic IPs from it, and assign them to the NAT gateways.
Assign Elastic IPs from the customer's block directly to the NLB.
Use AWS Global Accelerator with Elastic IPs from the customer's block, pointing to the NLB.
Explanation
The EC2 instances in private subnets use NAT gateways for internet access. By registering a customer-owned IP block and assigning Elastic IPs (EIPs) from this block to the NAT gateways, all outbound traffic from the instances will source from the customer's CIDR block. This allows the third-party API to whitelist a single CIDR.
Why other options are incorrect:
- A: EC2 instances in private subnets cannot have public IPs assigned directly; traffic still routes via NAT gateways.
- C: NLB's Elastic IPs handle inbound traffic, not outbound traffic from EC2 instances.
- D: Global Accelerator manages inbound traffic, not outbound API calls from instances.
Key Points:
1. NAT gateways handle outbound traffic for instances in private subnets.
2. Assigning customer-owned EIPs to NATs ensures consistent source IPs.
3. Third-party API restrictions require a single CIDR block for whitelisting.
Answer
The correct answer is: B