An architect is designing a secure VPC architecture. They need to ensure that Amazon EC2 instances in private subnets can download software updates from the internet, but the instances must not be reachable from the internet. Additionally, all outbound traffic must be inspected by a third-party firewall appliance. Which THREE components are required? (Select THREE)

Answer options:

A NAT Gateway in a public subnet.

An Internet Gateway attached to the private subnet.

A VPC Peering connection to the internet.

A Gateway Load Balancer (GWLB) to route traffic to the third-party firewall appliances.

VPC route tables configured to route outbound traffic from the private subnets to the GWLB endpoint.

AWS WAF attached to the EC2 instances.

AWS Direct Connect.

How to approach this question

Combine outbound internet access with inline traffic inspection.

Full Answer

A,D,E

A NAT Gateway provides outbound internet access. To inspect this traffic with a third-party appliance, you use a Gateway Load Balancer (GWLB) and route traffic from the private subnet to the GWLB endpoint, then to the NAT Gateway.

Common mistakes

Forgetting that GWLB is the standard for third-party appliance insertion.

Question 30 All questions Question 32

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 2

75 questions · hints · full answers · grading

More questions from this exam

Q01A company is setting up a multi-account AWS environment using AWS Organizations. They need to ens...Easy Q02An enterprise needs to connect its on-premises data center to AWS. They require a dedicated, priv...Easy Q03A company wants to share a single AWS Transit Gateway across multiple AWS accounts within their A...Easy Q04An architect needs to design a highly available database architecture that spans multiple AWS Reg...Easy Q05A global financial institution is migrating its core banking application to AWS. The application ...Medium

View all 75 questions →