The Jeff’s Note (Contextual Hook) #
Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in understanding the subtle difference between NAT gateways and egress-only internet gateways for IPv6 traffic. In production, this is about knowing exactly how to enable outbound IPv6 internet access without exposing instances to inbound internet traffic. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
CoralTech Innovations is moving towards an IPv6-only deployment for all of its Amazon EC2 instances to future-proof their network architecture. The company has created a dual-stack VPC and set up subnets configured for IPv6-only addressing. These EC2 instances must never accept inbound traffic from the public internet, but they still require the ability to initiate outbound connections to the internet for software updates and external API calls.
The Requirement: #
Configure the VPC so that all IPv6 traffic from these EC2 instances can reach the internet without allowing unsolicited inbound IPv6 traffic.
The Options #
-
A) Create and attach a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.
-
B) Create and attach an internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway. Attach the custom route table to the IPv6-only subnets.
-
C) Create and attach an egress-only internet gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the egress-only internet gateway. Attach the custom route table to the IPv6-only subnets.
-
D) Create and attach an internet gateway and a NAT gateway. Create a custom route table that includes an entry to point all IPv6 traffic to the internet gateway and all IPv4 traffic to the NAT gateway. Attach the custom route table to the IPv6-only subnets.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The SOA-C02 Networking Imperative #
- AWS NAT gateways support only IPv4 address translation and cannot be used for IPv6 outbound traffic.
- For IPv6, to allow outbound internet access but block inbound, you must use an egress-only internet gateway.
- A standard internet gateway permits inbound and outbound traffic and would expose instances to unsolicited inbound connections.
- The key is routing IPv6 traffic via an egress-only internet gateway attached to the VPC.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
- NAT gateways are designed exclusively for IPv4 traffic translation. They provide outbound internet access to IPv4-only instances but do not handle IPv6.
- IPv6 is a globally routable protocol; there’s no need for NAT. Instead, to restrict inbound IPv6 while allowing outbound access, AWS offers the egress-only internet gateway.
- This specialized gateway lets IPv6 traffic initiated inside the VPC reach the internet but blocks unsolicited inbound IPv6 traffic.
- The route table for the IPv6-only subnets must direct all IPv6 (::/0) traffic to the egress-only internet gateway.
- Attaching an internet gateway alone (Option B) allows both inbound and outbound IPv6 traffic, violating the requirement to block inbound access.
- Option D is unnecessary complexity—NAT only applies to IPv4, and mixing IPv4 and IPv6 routes here is irrelevant since the subnets are IPv6-only.
The Trap (Distractor Analysis): #
- Why not A? NAT gateways do not support IPv6 traffic; thus, you cannot route IPv6 through NAT.
- Why not B? Attaching an internet gateway opens inbound access, violating the no inbound access rule.
- Why not D? Combination of internet + NAT is irrelevant to IPv6-only subnets and doesn’t solve the key outbound-only IPv6 routing challenge.
The Technical Blueprint #
# Create an egress-only internet gateway attached to the VPC
aws ec2 create-egress-only-internet-gateway --vpc-id vpc-abc123
# Add a route for IPv6 (::/0) traffic in the custom route table pointing to the egress-only internet gateway
aws ec2 create-route --route-table-id rtb-xyz789 --destination-ipv6-cidr-block ::/0 --egress-only-internet-gateway-id eigw-123456
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact on Security | Correctness |
|---|---|---|---|---|
| A | Moderate | High | Poor (NAT is IPv4-only) | Incorrect |
| B | Low | Low | Poor (Allows inbound IPv6 access) | Incorrect |
| C | Low | Low | High (Blocks inbound IPv6, allows outbound) | Correct |
| D | High | Complex | Mixed IPv4/IPv6, irrelevant for IPv6-only subnet | Incorrect |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick Egress-Only Internet Gateway when you see IPv6 only outbound internet access without inbound exposure.
Real World #
In production, teams often mix IPv4 and IPv6. For IPv4, NAT gateways remain necessary for outbound internet access for private instances. For IPv6, the egress-only internet gateway solves outbound access elegantly, reducing complexity and NAT-related costs.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.