What should be done to resolve the issue?

By:
In: SOA-C01
Tagged:
With: 1 Comment
A SysOps Administrator maintains several Amazon EC2 instances that do not have access to the public internet.To patch operating systems, the instances require outbound internet connectivity.For security reasons, the instances should not be reachable from the public Internet.The Administrator deploys a NAT instance, updates the security groups, and configures the appropriate routes within the route table.However, the instances are still unable to reach the Internet.

What should be done to resolve the issue?

Assign Elastic IP addresses to the instances and create a route from the private subnets to the internet gateway

Delete the NAT instance and replace it with AWS WAF

Disable source/destination checks on the NAT instance

Start/stop the NAT instance so it is launched on a different host

Explanations:

Assigning Elastic IPs to the private instances would make them publicly accessible, which contradicts the requirement to keep them unreachable from the public internet.

AWS WAF (Web Application Firewall) is for managing web traffic filtering and does not address the issue of providing outbound internet connectivity from private instances.

Disabling source/destination checks on the NAT instance allows it to perform as a gateway, enabling outbound internet access for instances in private subnets.

Starting/stopping the NAT instance on a different host does not address the fundamental issue of the NAT instance’s configuration or functionality.

2025-09-28

1 Comment

  1. Brittany
    Author

    I organize that the answer is:
    Disable source/destination checks on the NAT instance

Leave a Reply

Your email address will not be published. Required fields are marked *

twelve + sixteen =