Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 47 discussion

A. Deploy a NAT gateway. Associate an Elastic IP address with the NAT gateway. Configure the VPC to use the NAT gateway. This solution will give the Lambda function access to the internet by routing its outbound traffic through the NAT gateway, which has a public Elastic IP address. This will allow the external provider to whitelist the single public IP address associated with the NAT gateway, and enable the application to access the new service.

A https://docs.aws.amazon.com/lambda/latest/operatorguide/networking-vpc.html "By default, Lambda functions have access to the public internet. This is not the case after they have been configured with access to one of your VPCs. If you continue to need access to resources on the internet, set up a NAT instance or Amazon NAT Gateway. Alternatively, you can also use VPC endpoints to enable private communications between your VPC and supported AWS services."

There are many misleading explanations here. You cannot attath ElasticIP to Internet Gateway which use instance public ip for NAT. - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-igw-internet-access.html#ip-addresses-and-nat But NAT can be used with Elastic IP for fixed outbound ip. That's difference. - https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/nat-gateway-scenarios.html#private-nat-allowed-range

A. Deploy a NAT gateway. Associate an Elastic IP address with the NAT gateway. Configure the VPC to use the NAT gateway.

A is correct, NAT not only provides the internet outbound , but also provides single public IP address, So Selected Answer: A

THE ANSWER HAS TO BE A!!!! For B: Wrong. Egress only internet gateway is for IPV6, not for IPV4 For C&D: Internet gateway is for both inbound and outbount traffic. In our case we only need outbound traffic, so it has to be NAT Gateway.

NAT gateway doesn't allow inbound traffic flow into service behind NAT gateway. ALB or internet gateway can. However internet gateway can't be attached to lambda service directly. I vote D as correct answer.

Option A will be the only solution that matches the given requirements. The problem with any solution that involves IGw is that IGw DOES NOT perform NAT. In fact, it does not alter the source IP field at all, meaning that we don't really have a mechanism of having a static public IP address set to the outbound traffic, while ensuring security. So, the only practical solution is to go with the NAT option.

A, deploy nat gateway and associate an elastic ip

Can an admin please take a look at _all_ the "correct answers" in this exam? They really cannot be trusted and reduce the usefulness of ExamTopics altogether. As things are, you should always just disregard the correct answer as it so often is insane. The correct answer is of course A.

A is correct option, Other approach to enable internet access https://www.linkedin.com/pulse/aws-lambda-accessing-private-vpc-resources-internet-without-vokhmin-pyxbe/

The solution that enables the Lambda function in a VPC to access an external service that requires requests to come from a specific public IPv4 address, and to provide a single public IP address for allow listing, is: * Option A is correct because a NAT (Network Address Translation) gateway allows instances or AWS Lambda functions in a private subnet of a VPC to initiate outbound traffic to the internet (or external services) while preventing unsolicited inbound traffic from the internet. By associating an Elastic IP address with the NAT gateway, all outbound traffic from the Lambda function routed through the NAT gateway will appear to come from this single public IP address, which can be provided to the external provider for allow listing.

Not B. egress-only internet gateway is IPv6 only, the question is about IPv6 Not C. you cannot associated Elastic IP to IGW also Lambda deployed in VPC cannot egress to internet via IGW, you need a NAT Gateway / NAT Instance Not D. same as C. A is the right solution (even if it is not well explained in my opinion)

As per https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html, "To access private resources, connect your function to private subnets. If your function needs internet access, use network address translation (NAT). Connecting a function to a public subnet doesn't give it internet access or a public IP address."

Just to clarify...If the Lambda function is already attached to a VPC, it's implied that it's in a private subnet since Lambda functions can't be directly placed in public subnets. So C and D are out.

Option B is definitely out as egress-only internet gateway is applicable solely for IPv6 traffic.

internet gateway - cant assign elastic IP to internet gateway