What should the solutions architect do to meet these requirements?
Update the existing VPC, and associate a custom IPv6 CIDR block with the VPC and all subnets. Update all the VPC route tables, and add a route for ::/0 to the internet gateway.
Update the existing VPC, and associate an Amazon-provided IPv6 CIDR block with the VPC and all subnets. Update the VPC route tables for all private subnets, and add a route for ::/0 to the NAT gateway.
Update the existing VPC, and associate an Amazon-provided IPv6 CIDR block with the VPC and all subnets. Create an egress-only internet gateway. Update the VPC route tables for all private subnets, and add a route for ::/0 to the egress-only internet gateway.
Update the existing VPC, and associate a custom IPV6 CIDR block with the VPC and all subnets. Create a new NAT gateway, and enable IPV6 support. Update the VPC route tables for all private subnets, and add a route for ::/0 to the IPv6-enabled NAT gateway.
Explanations:
Associating a custom IPv6 CIDR block with the VPC and adding a route for ::/0 to the internet gateway would expose private EC2 instances to the internet, which violates the requirement to keep them inaccessible from the public internet.
Associating an Amazon-provided IPv6 CIDR block with the VPC and adding a route for ::/0 to the NAT gateway is incorrect because a NAT gateway does not support IPv6 traffic. NAT gateways can only handle IPv4 traffic.
Associating an Amazon-provided IPv6 CIDR block with the VPC, creating an egress-only internet gateway, and adding a route for ::/0 to the egress-only internet gateway is the correct approach. It ensures that private subnets can send IPv6 traffic to the internet but cannot be accessed from the internet.
While creating a new IPv6-enabled NAT gateway may sound like a solution, NAT gateways do not support IPv6 traffic. IPv6 traffic for private subnets requires an egress-only internet gateway.