What should the solutions architect do to enable internet access for the private subnets?
Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.
Create three NAT instances, one for each private subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT instance in its AZ.
Create a second internet gateway on one of the private subnets. Update the route table for the private subnets that forward non-VPC traffic to the private internet gateway.
Create an egress-only internet gateway on one of the public subnets. Update the route table for the private subnets that forward non-VPC traffic to the egress- only internet gateway.
Explanations:
Creating three NAT gateways, one for each public subnet in each AZ, allows instances in the private subnets to access the internet. Each private route table in the AZ would route non-VPC traffic to the corresponding NAT gateway, ensuring that the private instances can download updates while maintaining their private IP addresses.
While using NAT instances could provide internet access to the private subnets, this approach is not as scalable or resilient as using NAT gateways. NAT instances require manual scaling and can become a single point of failure unless properly managed with failover and load balancing.
A second internet gateway cannot be created for a private subnet. Each VPC can only have one internet gateway, and private subnets are designed to not be directly accessible from the internet. Therefore, this option is not viable for providing internet access to private subnets.
An egress-only internet gateway is specifically for IPv6 traffic and does not support IPv4. Since the question specifies the use of IPv4 CIDR blocks, this option does not meet the requirement to provide internet access to the private subnets.