AWS Certified Advanced Networking – Specialty ANS-C00 – Question235

Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot. You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway.
What configuration change should you make to ensure that these instances can reach the patch server?

A.
Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway.
B. Configure an outbound rule on the application server instance security group for the Git repository.
C. Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
D. Configure an inbound rule on the application server instance security group for the Git repository.

Correct Answer: B

Explanation:

Explanation:
The traffic leaves the instance destined for the Git repository; at this point, the security group must allow it through. The route then directs that traffic (based on the IP) to the NAT gateway. A is wrong because it removes the private aspect of the subnet and would have no effect on the blocked traffic anyway. C is wrong because the problem is that outgoing traffic is not getting to the NAT gateway. D is wrong because to allow outgoing traffic to the Git repository requires an outgoing security group rule.