What should a SysOps administrator do to meet these requirements?

By:
On:
In: SOA-C02
Tagged:
With: 0 Comments
A company has an application that is running on Amazon EC2 instances in a VPC.The application needs access to download software updates from the internet.The VPC has public subnets and private subnets.The company’s security policy requires all EC2 instances to be deployed in private subnets.

What should a SysOps administrator do to meet these requirements?

Add an internet gateway to the VPC. In the route table for the private subnets, add a route to the internet gateway.

Add aNAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway.

Add a NAT gateway to public subnet. In the route table for the private subnets, add a route to the NAT gateway.

Add two internet gateways to the VPC. In the route tables for the private subnets and public subnets, add a route to each internet gateway.

Explanations:

A public internet gateway cannot be used for private subnets. Private subnets must not have direct access to the internet via an internet gateway.

A NAT gateway must be placed in a public subnet, not a private subnet. A route to the NAT gateway from private subnets is necessary, but the NAT gateway must reside in a public subnet.

A NAT gateway should be placed in a public subnet. Private subnets should route internet-bound traffic to the NAT gateway, allowing instances in private subnets to access the internet for updates while maintaining security.

Only one internet gateway is needed for a VPC. Multiple internet gateways are unnecessary and cannot be used in this scenario as the requirement is to restrict instances to private subnets with controlled internet access.

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen − 6 =