AWS Certified Advanced Networking Specialty Practice Exam

What is required to enable a newly created instance to access the Internet if it only has a private IP address?

• A. Attach an Elastic IP to the instance
• B. Configure a default route in the subnet route table to the on-premises network
• C. Set up a NAT gateway in the public subnet
• D. Add a public IP address to the instance

The correct answer is: Configure a default route in the subnet route table to the on-premises network

To enable a newly created instance that only has a private IP address to access the Internet, setting up a NAT gateway in the public subnet is the correct approach. A NAT (Network Address Translation) gateway allows instances in a private subnet to initiate outbound traffic to the Internet while preventing unsolicited inbound traffic from reaching those instances. When an instance is launched within a Virtual Private Cloud (VPC) and assigned only a private IP address, it cannot directly access the Internet. The NAT gateway acts as an intermediary that routes traffic to the Internet and returns responses back to the instance. This way, the instance can access external resources, such as downloading software updates or accessing APIs, while maintaining its private IP address and being shielded from direct exposure to the Internet. This solution is especially useful for scenarios where security is a concern, as it restricts incoming traffic while allowing necessary outbound communication. By configuring a default route in the subnet route table that points to the NAT gateway, the instance can then communicate with the outside world effectively. In contrast, attaching an Elastic IP directly to the instance or adding a public IP address would expose the instance directly to the Internet, which can be less secure. Configuring a default route to an on-premises network would not enable Internet access