To allow resources in a private subnet to access the internet, which of the following must be present?

To enable resources in a private subnet to access the internet, a NAT Gateway is essential. A NAT Gateway provides a network address translation service, which allows instances within a private subnet (that don't have a public IP address) to initiate outbound connections to the internet while preventing unsolicited inbound connections from the internet. This functionality is crucial for scenarios where resources, such as updates or external API calls, are necessary without directly exposing them to incoming traffic from the internet.

In contrast, an Internet Gateway connects an AWS virtual private cloud (VPC) to the internet but is typically used for public subnets where instances have public IPs assigned. A VPN Gateway facilitates secure connections to an on-premises network but does not directly manage internet access. Direct Connect provides a dedicated network connection from your premises to AWS but also does not impact the internet access capabilities of private subnets. Therefore, a NAT Gateway is the appropriate solution for allowing outbound internet access from a private subnet.