You have a set of Instances in your VPC that communicate over the IPv6 protocol.
You need to ensure that traffic can flow from the Instances to the Internet but not vice versa.
How can you achieve this?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
This is also given in the AWS Documentation.
IPv6 addresses are globally unique and are therefore public by default.
If you want your instance to be able to access the Internet, but you want to prevent resources on the Internet from initiating communication with your instance, you can use an egress-only Internet gateway.
To do this, create an egress-only Internet gateway in your VPC, and then add a route to your route table that points all IPv6 traffic (::/0) or a specific range of IPv6 addresses to the egress-only Internet gateway.
IPv6 traffic in the subnet that's associated with the route table is routed to the egress-only Internet gateway.
Option A is invalid since there is no such option.
Options B and C are invalid since this is not the right way to limit traffic for IPv6 for such a requirement.
For more information on Egress only Internet gateway, please refer to the below URL.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/egress-only-internet-gateway.htmlTo ensure that traffic can flow from the Instances to the Internet but not vice versa over IPv6 protocol in a VPC, the following options are available:
A. Change the Internet gateway only to allow outbound traffic for IPv6:
An Internet gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. To allow traffic from instances to the Internet but not vice versa, you can modify the default route in the route table associated with the VPC to allow traffic to flow only in one direction. You can add a route that points to the IPv6 CIDR block of the Internet and set the target to the Internet gateway ID. This configuration allows outbound traffic but denies incoming traffic, as the default route in the route table does not allow traffic to flow from the Internet to the instances.
B. Change the Security Groups to not allow Inbound Traffic on the Instances:
Security groups act as a virtual firewall for instances to control inbound and outbound traffic. To allow traffic from instances to the Internet but not vice versa, you can modify the inbound rules of the security groups associated with the instances to deny all traffic. This configuration blocks incoming traffic to the instances, but allows outbound traffic, which means instances can communicate with the Internet.
C. Change the NACLs to not allow Inbound Traffic on the Instances:
Network Access Control Lists (NACLs) are stateless and act as a firewall at the subnet level to control inbound and outbound traffic. To allow traffic from instances to the Internet but not vice versa, you can modify the inbound rules of the NACLs associated with the subnet to deny all traffic. This configuration blocks incoming traffic to the subnet, but allows outbound traffic, which means instances can communicate with the Internet.
D. Use an Egress only Internet gateway:
An egress-only Internet gateway (EIG) is a horizontally scaled, redundant, and highly available VPC component that allows outbound-only communication from instances in your VPC to the Internet over IPv6. EIG only allows outbound traffic and does not support inbound traffic, which means that instances cannot receive any incoming traffic from the Internet. To allow traffic from instances to the Internet but not vice versa, you can use EIG, which ensures that instances can only communicate with the Internet over IPv6, but not vice versa.
Therefore, the correct answer to the question is A, change the Internet gateway only to allow outbound traffic for IPv6.