Application servers currently deployed in a private subnet require the ability to integrate with a third-party service accessible through the Internet.

Which changes are required to provide outbound Internet connectivity in the VPC without providing inbound Internet connectivity to the application servers?

  1. Create a NAT Gateway without attaching an Internet Gateway to the VPC.
  2. Create a NAT Gateway and attach an Internet Gateway to the VPC.
  3. Attach an Internet Gateway to the VPC without creating a NAT Gateway.
  4. Attach a Virtual Private Gateway to the VPC and create a NAT Gateway.


  • 能够通过访问互联网。这一点应该是暗示Internet Gateway。

that allows communication between instances in your VPC and the internet

  • 但是并不需要互联网能够回访。这一点应该是暗示NAT Gateway。

enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.

对于两种网关,NAT Gateway中的图示很有参考价值,表明了两者的职责和区别。

The following diagram illustrates the architecture of a VPC with a NAT gateway. The main route table sends internet traffic from the instances in the private subnet to the NAT gateway. The NAT gateway sends the traffic to the internet gateway using the NAT gateway’s Elastic IP address as the source IP address.

而第4个答案中的Virtual Private Gate是Site-to-Site VPN的终结点。可以很容易排除。