SAA-C03 Question #215: Real Exam Question with Answer & Explanation

Question

A company hosts an Amazon EC2 instance in a private subnet in a new VPC. The VPC also has a public subnet that has the default route set to an internet gateway. The private subnet does not have outbound internet access. The EC2 instance needs to have the ability to download monthly security updates from an outside vendor. However, the company must block any connections that are initiated from the internet. Which solution will meet these requirements?

Options

• AConfigure the private subnet route table to use the internet gateway as the default route.
• BCreate a NAT gateway in the public subnet. Configure the private subnet route table to use the
• CCreate a NAT instance in the private subnet. Configure the private subnet route table to use the
• DCreate a NAT instance in the private subnet. Configure the private subnet route table to use the

Explanation

Enable outbound internet access for an EC2 instance in a private subnet for security updates while blocking inbound internet-initiated connections.

Common mistakes.

• A. Configuring the private subnet's route table to use the internet gateway directly would expose the EC2 instance to inbound connections from the internet, violating the security requirement to block such connections.
• C. A NAT instance in a private subnet cannot provide outbound internet access without itself having a route to the internet, typically requiring a public subnet, and is less managed and highly available than a NAT Gateway.
• D. While a NAT instance in a public subnet can provide outbound internet access, it is a less managed and less highly available solution compared to a NAT Gateway, making it not the optimal choice.

Concept tested. NAT Gateway for private subnet outbound access

Reference. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

No community discussion yet for this question.