What else does the security engineer need to do to ensure the application will not be exposed directly to the internet, but can still communicate as required?
Launch a NAT instance in the public subnet. Update the custom route table with a new route to the NAT instance.
Remove the internet gateway, and add AWS PrivateLink to the VPC. Then update the custom route table with a new route to AWS PrivateLink.
Add a managed NAT gateway to the VPC. Update the custom route table with a new route to the gateway.
Add an egress-only internet gateway to the VPC. Update the custom route table with a new route to the gateway.
Explanations:
A NAT instance in the public subnet is an option for IPv4, but the question specifically mentions IPv6, which requires an egress-only internet gateway, not a NAT instance.
AWS PrivateLink is typically used for connecting to AWS services privately, not for general internet access. It wouldn’t provide the necessary IPv6 outbound connectivity in this scenario.
A managed NAT gateway is designed for IPv4. For IPv6, an egress-only internet gateway is required to allow outbound traffic while preventing inbound internet exposure.
An egress-only internet gateway is specifically used for IPv6 traffic to allow outbound internet access without exposing the instance directly to inbound internet traffic.