Servers in a private subnet must be allowed only outbound communication to the internet for software updates, and must NOT receive direct access from the internet. Which component is BEST suited?
Selecting a component that enables outbound communication from a private subnet.
Internet Gateway (IGW)
An IGW enables bidirectional internet communication and also allows inbound access from the internet.
It does not match the requirement to allow only outbound communication while preventing direct access, so it is incorrect.
NAT gateway
Correct. A NAT gateway is a component that lets instances in a private subnet communicate outbound while not allowing direct inbound from the internet. It suits outbound communication such as software updates.
Egress-Only Internet Gateway
An Egress-Only Internet Gateway also allows only outbound communication, but it is a component dedicated to IPv6 traffic.
For the IPv4 outbound communication used in typical software updates, a NAT gateway is used, so it is incorrect.
VPC endpoint
A VPC endpoint is a private path for accessing AWS services such as S3 without traversing the internet.
Its destinations are limited to AWS services, so it cannot meet the requirement to reach out to update servers on the internet, such as external repositories, and it is incorrect.
'Private subnet' and 'outbound communication only' point to a NAT gateway. Bidirectional internet connectivity (public) is an IGW, IPv6 outbound only is an Egress-Only IGW, and a private path to AWS services is a VPC endpoint. Distinguish by direction and target.