Which combination of steps should the solutions architect take to meet these requirements?
(Choose two.)
Use the Elastic IP address that is associated with the NAT gateway for the IP address allow list.
Assign an Elastic IP address to the Lambda function. Use the Lambda function’s Elastic IP address for the IP address allow list.
Configure the Lambda function to launch in the private subnet of the VPC.
Configure the Lambda function to launch in the public subnet of the VPC.
Create a transit gateway. Attach the VPC and the Lambda function to the transit gateway.
Explanations:
The Elastic IP associated with the NAT gateway is the public IP address that will be used for outbound traffic from the Lambda function when it accesses the external API. Therefore, this IP can be provided to the API provider for the allow list.
Lambda functions do not support direct assignment of Elastic IP addresses. Instead, they utilize the NAT gateway’s Elastic IP for outbound internet access. Thus, assigning an Elastic IP directly to a Lambda function is not possible.
Configuring the Lambda function to launch in a private subnet allows it to route outbound traffic through the NAT gateway, which will then use the associated Elastic IP for external API calls. This setup is essential for maintaining a static public IP.
Launching the Lambda function in a public subnet would allow it to access the internet directly, which is not desired when needing a static IP through the NAT gateway. Public subnets do not utilize the NAT gateway for outbound internet access.
A transit gateway is not necessary for this use case, as it does not provide a mechanism to assign static IPs for Lambda functions. Instead, using the existing NAT gateway with an Elastic IP is sufficient for routing outbound traffic.
I plan that the answer is:
Use the Elastic IP address that is associated with the NAT gateway for the IP address allow list.