SAA-C03 Question #469: Real Exam Question with Answer & Explanation

Question

A company has deployed a multi-tier web application to support a website. The architecture includes an Application Load Balancer (ALB) in public subnets, two Amazon Elastic Container Service (Amazon ECS) tasks in the public subnets, and a PostgreSQL cluster that runs on Amazon EC2 instances in private subnets. The EC2 instances that host the PostgreSQL database run shell scripts that need to access an external API to retrieve product information. A solutions architect must design a solution to allow the EC2 instances to securely communicate with the external API without increasing operational overhead. Which solution will meet these requirements?

Options

• AAssign public IP addresses to the EC2 instances in the private subnets. Configure security groups
• BConfigure a NAT gateway in the public subnets. Update the route table for the private subnets to
• CConfigure a VPC peering connection between the private subnets and a public subnet that has
• DDeploy an interface VPC endpoint to securely connect to the external API.

Explanation

EC2 instances in private subnets cannot access the internet unless there is a NAT gateway or a NAT instance configured. "To enable instances in a private subnet to connect to the internet or other AWS services, you can use a NAT gateway or NAT instance." In this use case: EC2 instances are in private subnets They need to call external APIs (internet access) The most operationally efficient and secure method is to place a NAT Gateway in a public subnet and update the route table for private subnets to route internet-bound traffic through it. Incorrect Options: A: Private subnets don't support public IPs. C: VPC peering doesn't help reach the public internet. D: Interface endpoints are for private connectivity to AWS services, not external APIs.

No community discussion yet for this question.