ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Security - Specialty All Questions

View all questions & answers for the AWS Certified Security - Specialty exam
Go to Exam

Exam AWS Certified Security - Specialty topic 1 question 204 discussion

Exam question from Amazon's AWS Certified Security - Specialty
Question #: 204
Topic #: 1
[All AWS Certified Security - Specialty Questions]

A company has a VPC with an IPv6 address range and a public subnet with an IPv6 address block. The VPC currently hosts some public Amazon EC2 instances, but a security engineer needs to migrate a second application into the VPC that also requires IPv6 connectivity.
This new application will occasionally make API requests to an external, internet-accessible endpoint to receive updates. However, the security team does not want the application's EC2 instance exposed directly to the internet. The security engineer intends to create a private subnet with a custom route table and to associate the route table with the private subnet.
What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?

  • A. Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance.
  • B. Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink.
  • C. Add a managed NAT gateway to the VPC. Update the custom route table with a new route to the gateway.
  • D. Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by viestner at March 15, 2021, 9:44 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 3 years, 6 months ago
Its D :: NAT gateways are not supported for IPv6 traffic—use an outbound-only (egress-only) internet gateway instead. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
upvoted 22 times
...
quixo
Most Recent 1 year, 7 months ago
Selected Answer: D
D correct
upvoted 1 times
...
ITGURU51
2 years ago
We can easily figure out the answer here by eliminating answers that sound ridiculous. (AB) The question writer wants to know which answer is the best selection between C and D. In this case configuring a NAT gateway would work however, the An egress-only internet gateway routes IPv6 traffic only. D
upvoted 2 times
...
nairj
2 years ago
Ans : C - Probably the answer is outdated so was D earlier. Now AWS NAT Gateway supports IPv6. See - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
upvoted 3 times
...
MrTricky
2 years, 3 months ago
I think the question is outdated. NAT gateways support IPv6 as stated in: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html The only reasoning in the comments as why D is correct is "NAT gateways are not supported for IPv6", but since this is not true (at least now, maybe in the past?) then I think both C and D are correct, thus making the answer outdated.
upvoted 3 times
...
JOKERO
2 years, 11 months ago
NAT gateways are supported for IPv4 or IPv6 traffic. For IPv6 traffic, NAT gateway performs NAT64. By using this in conjunction with DNS64 (available on Route 53 resolver) https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
upvoted 2 times
francisco_guerra
2 years, 8 months ago
So the answer is D but C is also applicable but need more work
upvoted 1 times
...
...
roger8978
3 years, 3 months ago
D IPv6 + Internet Access == Igress only IGW.
upvoted 2 times
...
kiev
3 years, 5 months ago
IPV6#egress only internet and thus D
upvoted 3 times
...
refuz
3 years, 5 months ago
D, easy
upvoted 3 times
...
evereve
3 years, 6 months ago
D. An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances.
upvoted 3 times
...
sanjaym
3 years, 6 months ago
D 100%
upvoted 3 times
...
cldy
3 years, 6 months ago
D. coz its IPv6
upvoted 4 times
...
DayQuil
3 years, 6 months ago
C. Use a NAT gateway.
upvoted 1 times
ccie8521
3 years, 6 months ago
NO it is NOT C. NAT Gateway on works on IPV4. The answer is clearly D
upvoted 1 times
...
...
viestner
3 years, 6 months ago
D, sure
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago