Amazon ANS-C01 Exam - Topic 3 Question 58 Discussion

Actual exam question for Amazon's ANS-C01 exam

Question #: 58
Topic #: 3

A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider's API requires the use of IPv6.

A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets.

Which solution will meet these requirements?

ACreate an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway.

BCreate an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance.

CCreate an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway.

DCreate an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway.

Show Suggested Answer

Suggested Answer: C

by Arleen at Nov 23, 2025, 11:14 PM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Benton

5 hours ago

Wait, can you really block all inbound traffic and still use IPv6?

upvoted 0 times

...

Gerry

5 days ago

Just a heads up, egress-only gateways are specifically for IPv6!

upvoted 0 times

...

Shizue

11 days ago

I disagree, I think option D is more secure with that security group.

upvoted 0 times

...

Leeann

16 days ago

Haha, I bet the service provider is like "Hey, you gotta use IPv6 now!" Gotta keep up with the times, I guess.

upvoted 0 times

...

Coleen

21 days ago

C) Yep, the egress-only internet gateway is the way to go. Keeps things simple and secure.

upvoted 0 times

...

Janae

26 days ago

D) Denying all inbound traffic to the egress-only internet gateway is a nice touch to ensure no IPv6 traffic from the public internet.

upvoted 0 times

...

Rosita

1 month ago

C) Seems like the most straightforward solution to me. An egress-only internet gateway should do the trick.

upvoted 0 times

...

Kirk

1 month ago

I practiced a similar question where we had to restrict public internet access for IPv6. I feel like the NAT gateway options might not be the best fit here.

upvoted 0 times

...

Kelvin

1 month ago

I think option C sounds familiar because it allows outbound IPv6 traffic while blocking inbound, which aligns with the company's requirement.

upvoted 0 times

...

Melynda

2 months ago

I think I've got it! The egress-only internet gateway is the way to go here. It allows outbound IPv6 traffic from the private subnets, but blocks inbound IPv6 traffic from the public internet, which is exactly what the company wants. I'm feeling good about option C.

upvoted 0 times

...

Janna

2 months ago

I'm a bit confused about the difference between a regular internet gateway and an egress-only internet gateway. I'll need to make sure I understand that before I can confidently choose the right solution.

upvoted 0 times

...

Pearly

2 months ago

Okay, let me see. I'm leaning towards option C - creating an egress-only internet gateway and routing the IPv6 traffic through that. That way, the servers can initiate the IPv6 connections, but inbound IPv6 traffic from the public internet will be blocked.

upvoted 0 times

...

Lang

2 months ago

Option C seems like the best fit for egress-only traffic.

upvoted 0 times

...

Sharee

2 months ago

This question is tricky! I think option C might be the best.

upvoted 0 times

...

Elbert

2 months ago

I remember we discussed how egress-only internet gateways are specifically designed for IPv6 traffic, but I'm not entirely sure how they differ from regular internet gateways.

upvoted 0 times

...

Phillip

3 months ago

I’m a bit confused about whether the security group in option D would actually prevent all inbound traffic effectively. I need to double-check that concept.

upvoted 0 times

...

Annamae

3 months ago

A) Creating a NAT gateway is a good idea, but I'm not sure if it's necessary for this specific use case.

upvoted 0 times

...

Mollie

3 months ago

Hmm, the key here is that the company wants to enable IPv6 connectivity for their existing workload, but they don't want to allow IPv6 traffic from the public internet. I think I'll need to focus on the different gateway options.

upvoted 0 times

...

Ailene

3 months ago

This seems like a tricky one! I'll need to carefully read through the requirements and think through the different options.

upvoted 0 times

...