What should the solutions architect do to meet these requirements?

By:
On:
In: SAP-C01
Tagged:
With: 0 Comments
A company is running a workload that consists of thousands of Amazon EC2 instances.The workload is running in a VPC that contains several public subnets and private subnets.The public subnets have a route for 0.0.0.0/0 to an existing internet gateway.The private subnets have a route for 0.0.0.0/0 to an existing NAT gateway.A solutions architect needs to migrate the entire fleet of EC2 instances to use IPv6.The EC2 instances that are in private subnets must not be accessible from the public internet.

What should the solutions architect do to meet these requirements?

Update the existing VPC, and associate a custom IPv6 CIDR block with the VPC and all subnets. Update all the VPC route tables, and add a route for ::/0 to the internet gateway.

Update the existing VPC, and associate an Amazon-provided IPv6 CIDR block with the VPC and all subnets. Update the VPC route tables for all private subnets, and add a route for ::/0 to the NAT gateway.

Update the existing VPC, and associate an Amazon-provided IPv6 CIDR block with the VPC and all subnets. Create an egress-only internet gateway. Update the VPC route tables for all private subnets, and add a route for ::/0 to the egress-only internet gateway.

Update the existing VPC, and associate a custom IPv6 CIDR block with the VPC and all subnets. Create a new NAT gateway, and enable IPv6 support. Update the VPC route tables for all private subnets, and add a route for ::/0 to the IPv6-enabled NAT gateway.

Explanations:

This option suggests associating a custom IPv6 CIDR block and adding a route for ::/0 to the internet gateway. However, this would make the private subnets accessible to the public internet, which contradicts the requirement that EC2 instances in private subnets must not be accessible from the internet.

This option suggests associating an Amazon-provided IPv6 CIDR block with the VPC and adding a route for ::/0 to the NAT gateway. However, NAT gateways do not support IPv6 traffic, so this configuration would not work for IPv6 connectivity.

This option suggests associating an Amazon-provided IPv6 CIDR block and using an egress-only internet gateway for private subnets. The egress-only internet gateway allows outbound IPv6 traffic while blocking inbound traffic, ensuring that private EC2 instances remain inaccessible from the public internet, which meets the requirements.

This option suggests using a new NAT gateway with IPv6 support, but NAT gateways do not support IPv6. IPv6 requires the use of an egress-only internet gateway for outbound traffic from private subnets, not a NAT gateway.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × five =