Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot. You confirm that a default route in the private subnet route table points to the NAT gateway. How would you configure the security group of your application server instances to download patches from the GIT repository?
 

Answer options:

A.Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway.
B.Configure an outbound rule on the application server instance security group for the NAT Gateway
C.Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
D.Configure an inbound rule on the application server instance security group for the Git repository.

Answer – B
The traffic leaves the instance destined for the NAT Gateway; at this point, the security group must allow it through. The route then directs that traffic (based on the IP) to the GIT repository
Option A is wrong because it removes the private aspect of the subnet and would have no effect on the blocked traffic anyway.
Option C is wrong because the problem is that outgoing traffic is not getting to the NAT gateway.
Option D is wrong because to allow outgoing traffic to the Git repository requires an outgoing security group rule
For more information on security groups, please refer to the below link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html