Application instances run in a private subnet and must download operating system patches from public package repositories on the internet. The instances must not be reachable from the internet, and inbound connections initiated from the internet must remain impossible. Which configuration provides the required outbound internet access while keeping the instances unreachable from outside?
- AAttach an internet gateway to the VPC and add a route from the private subnet to the internet gateway so the instances can reach the package repositories directly.
- BAdd a route in the private subnet pointing to a virtual private gateway so outbound package traffic leaves the VPC and returns through the same gateway path.
- CPlace a NAT gateway in a public subnet and route the private subnet's internet-bound traffic to that NAT gateway, which forwards it out through the internet gateway. Correct
- DCreate an interface VPC endpoint in the private subnet so outbound requests to the public package repositories travel over the AWS private network instead.
Why A is wrong: Routing a private subnet straight to an internet gateway makes those instances publicly addressable and reachable from the internet, which breaks the requirement that they stay unreachable from outside.
Why B is wrong: A virtual private gateway connects a VPC to on-premises networks over VPN or Direct Connect, not to public internet repositories, so it does not give the instances the outbound internet path they need.
Why C is correct: A NAT gateway in a public subnet lets private instances start outbound connections to the internet while preventing any inbound connections initiated from outside, which exactly meets the stated requirement.
Why D is wrong: Interface endpoints reach specific AWS services privately, not arbitrary public package repositories on the internet, so they cannot provide the general outbound internet access the patch downloads require.