Egress-Only Internet Gateway: Misconceptions and Facts

Egress-Only Internet Gateway Incorrect Statement

Prev Question Next Question

Question

Which of the following statements on the egress-only Internet gateway is incorrect.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

The AWS documentation mentions the following on egress-only Internet gateway.

An egress-only Internet gateway is stateful: it forwards traffic from the instances in the subnet to the Internet or other AWS services, and then sends the response back to the instances.

An egress-only Internet gateway has the following characteristics:

You cannot associate a security group with an egress-only Internet gateway.

You can use security groups for your instances in the private subnet to control the traffic to and from those instances.

You can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.

For more information on the egress only internet gateway , please refer to the below URL:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/egress-only-internet-gateway.html

The correct answer is D. An egress-only Internet gateway is for use with IPv6 traffic only.

An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in a private subnet of a VPC to the Internet.

The following statements are correct about egress-only Internet gateways:

A. An egress-only Internet gateway is stateful

  • An egress-only Internet gateway is stateful, which means that it tracks the state of the outbound traffic from a VPC subnet, and it allows the response traffic back to the subnet.

B. You can associate a security group with an egress-only Internet gateway

  • Security groups control inbound and outbound traffic to and from EC2 instances, and they cannot be associated with an egress-only Internet gateway.

C. You can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic

  • A network access control list (network ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Network ACLs can be used to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.

D. An egress-only Internet gateway is for use with IPv6 traffic only.

  • This statement is incorrect. An egress-only Internet gateway is for use with IPv6 traffic only, and it cannot be used for IPv4 traffic. To enable outbound communication over IPv4, you must use a NAT gateway instead.

Therefore, the correct answer is D. An egress-only Internet gateway is for use with IPv6 traffic only.