SOA-C02 Question #20: Real Exam Question with Answer & Explanation

Question

A Systems Administrator is planning to deploy multiple EC2 instances within two separate Availability Zones in the same AwS Region. The instances cannot be exposed to the Internet, but must be able to exchange traffic between one another. The data does not need to be encrypted. What solution meets these requirements while maintaining the lowest cost?

Options

• ACreate two private subnets within the same VPC.
• BCreate 2 public subnets within the same VPC.
• CCreate 2 separate VPCs, one for each Availability Zone.
• DCreate 2 separate VPCs, one for each Availability Zone and create a public subnet in each.

Explanation

Option A is correct because a single VPC spans all Availability Zones in a Region by default, so two private subnets - one per AZ - allows the instances to communicate with each other over the AWS internal network without any Internet Gateway, keeping them off the public internet at zero extra cost.

Option B fails the requirement because public subnets expose instances to the Internet (they have a route to an Internet Gateway), which violates the "cannot be exposed to the Internet" constraint.

Options C and D fail because creating separate VPCs introduces unnecessary cost and complexity - inter-VPC communication requires VPC Peering or a Transit Gateway, both of which add cost; additionally, Option D compounds the mistake by using public subnets.

Memory tip: Think "one VPC, many AZs" - a VPC is a regional construct, not an AZ-scoped one, so you never need to create separate VPCs just to span multiple AZs. If instances must stay private and talk to each other, private subnets within one VPC is always the simplest and cheapest answer.

No community discussion yet for this question.