An Administrator has an Amazon EC2 instance with an IPv6 address. The Administrator needs to prevent direct access to this instance from the Internet. The Administrator should place the EC2 instance in a:
A.
Private Subnet with an egress-only Internet Gateway attached to the subnet and placed in the subnet Route Table.
B.
Public subnet with an egress-only Internet Gateway attached to the VPC and placed in the VPC Route Table.
C.
Private subnet with an egress-only Internet Gateway attached to the VPC and placed in the subnet Route Table.
D.
Public subnet and a security group that blocks inbound IPv6 traffic attached to the interface.
A private subnet is isolated from the Internet, and resources in a private subnet can't be directly accessed from the Internet.
An egress-only Internet Gateway (EIGW) allows outbound IPv6 traffic to flow from instances in a private subnet to the Internet, while preventing incoming traffic initiated by the Internet.
Placing the egress-only Internet Gateway in the VPC Route Table for the subnet ensures that the outbound traffic from the private subnet to the Internet is properly routed.
Correct Answer: C
https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html#egress-only-internet-gateway-working-with
"IPv6 addresses are globally unique, and are therefore public by default. If you want your instance to be able to access the internet, but you want to prevent resources on the internet from initiating communication with your instance, you can use an egress-only internet gateway. To do this, create an egress-only internet gateway in your VPC, and then add a route to your route table that points all IPv6 traffic (::/0) or a specific range of IPv6 address to the egress-only internet gateway. IPv6 traffic in the subnet that's associated with the route table is routed to the egress-only internet gateway. "
Correct Answer: C
https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html#egress-only-internet-gateway-working-with
"IPv6 addresses are globally unique, and are therefore public by default. If you want your instance to be able to access the internet, but you want to prevent resources on the internet from initiating communication with your instance, you can use an egress-only internet gateway. To do this, create an egress-only internet gateway in your VPC, and then add a route to your route table that points all IPv6 traffic (::/0) or a specific range of IPv6 address to the egress-only internet gateway. IPv6 traffic in the subnet that's associated with the route table is routed to the egress-only internet gateway. "
Answer is c
An egress-only Internet gateway. This enables instances in the private subnet to send requests to the Internet over IPv6 (for example, for software updates). An egress-only Internet gateway is necessary if you want instances in the private subnet to be able to initiate communication with the Internet over IPv6. For more information, see Egress-only internet gateways.
An egress-only internet gateway has the following characteristics:
You cannot associate a security group with an egress-only internet gateway. You can use security groups for your instances in the private subnet to control the traffic to and from those instances.
You can use a network ACL to control the traffic to and from the subnet for which the egress-only internet gateway routes traffic.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
you are right you cannot create an instance with IPv6 Only that is why you have to put it in the Private Subnet and assign it with IPv4 and configure Egress gateway to allow the Instance to reach the internet with its IPv6
The answer is C for me.
A. We cannot attach an Internet Gateway to a private subnet
D. Security groups don't block
B or C?
EC2 placed in a VPC route table or subnet route table?
Route tables are attached to subnets, so C sounds good to me.
The IPs for IPv6 is public, but if you route them through an egress-only-igw you are effectively making them inaccessible from the internet and could possibly be considered as "private" subnets.
I am torn between B and C (Depends on their intention)
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-subnets-commands-example-ipv6.html
After reading through the link I am comfortable with C
Any IPV6 ips are public. So does not matter where do you put the instance, the only way to block inbound traffic is to use Security Groups.
D. Public subnet and a security group that blocks inbound IPv6 traffic attached to the interface.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
awsnoob
Highly Voted 2 years, 8 months agoPANDU
Highly Voted 2 years, 9 months agoallexxf
2 years, 8 months agoalbert_kuo
Most Recent 10 months, 2 weeks agoantthomas
2 years, 3 months agoPeterGao
2 years, 7 months agoTroyMcLure
2 years, 7 months agowannaaws
2 years, 7 months agoImranR
2 years, 8 months agoSuren2020
2 years, 8 months agoSriramps
2 years, 8 months agoeyadman
2 years, 8 months agoSHoKMaSTeR
2 years, 8 months agogretch
2 years, 8 months agoGolddust
2 years, 8 months agoawscertified
2 years, 8 months agoericphl
2 years, 7 months agoKa
2 years, 9 months agokarmaah
2 years, 9 months agoawsnoob
2 years, 9 months ago