What change should the systems administrator make to the existing build fleet to comply with this new requirement?
Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service.
Move all of the EC2 instances behind an internet gateway and provide the gateway IP address to the service.
Move all of the EC2 instances into a single Availability Zone and provide the Availability Zone IP address to the service.
Move all of the EC2 instances to a peered VPC and provide the VPC IP address to the service.
Explanations:
Moving all EC2 instances behind a NAT gateway ensures that all outbound traffic (including the build uploads) uses a single IP address, which can be provided to the third-party service for whitelisting.
An internet gateway is used for direct communication with the internet from a VPC. However, using an internet gateway would not guarantee that all EC2 instances share the same IP address, as each instance could have its own public IP.
Moving the EC2 instances to a single Availability Zone does not solve the IP whitelisting issue, as instances in the same Availability Zone can still have different public IP addresses.
Moving EC2 instances to a peered VPC would not ensure that all instances use a single IP address for the uploads. Peering allows VPCs to communicate, but it does not consolidate public IPs for outbound traffic.
If I had to guess, I’d say the answer is:
Move all of the EC2 instances behind a NAT gateway and provide the gateway IP address to the service.