AWS Certified SysOps Administrator SOA-C01 – Question857

A SysOps Administrator maintains several Amazon EC2 instances that do not have access to the public internet. To patch operating systems, the instances require outbound internet connectivity. For security reasons, the instances should not be reachable from the public Internet.
The Administrator deploys a NAT instance, updates the security groups, and configures the appropriate routes within the route table. However, the instances are still unable to reach the Internet.
What should be done to resolve the issue?

A.
Assign Elastic IP addresses to the instances and create a route from the private subnets to the internet gateway
B. Delete the NAT instance and replace it with AWS WAF
C. Disable source/destination checks on the NAT instance
D. Start/stop the NAT instance so it is launched on a different host