SOA-C03 Question #5: Real Exam Question with Answer & Explanation

Question

A CloudOps engineer has created a VPC that contains a public subnet and a private subnet. Amazon EC2 instances that were launched in the private subnet cannot access the internet. The default network ACL is active on all subnets in the VPC, and all security groups allow outbound traffic. Which solution will provide the EC2 instances in the private subnet with access to the internet?

Options

• ACreate a NAT gateway in the public subnet. Create a route from the private subnet to the NAT
• BCreate a NAT gateway in the public subnet. Create a route from the public subnet to the NAT
• CCreate a NAT gateway in the private subnet. Create a route from the public subnet to the NAT
• DCreate a NAT gateway in the private subnet. Create a route from the private subnet to the NAT

Explanation

According to the AWS Cloud Operations and Networking documentation, instances in a private subnet do not have a direct route to the internet gateway and thus require a NAT gateway for outbound internet access. The correct configuration is to create a NAT gateway in the public subnet, associate an Elastic IP address, and then update the private subnet's route table to send all 0.0.0.0/0 traffic to the NAT gateway. This enables instances in the private subnet to initiate outbound connections while keeping inbound traffic blocked for security. Placing the NAT gateway inside the private subnet (Options C or D) prevents connectivity because it would not have a route to the internet gateway. Configuring routes from the public subnet to the NAT gateway (Option B) does not serve private subnet traffic. Hence, Option A follows AWS best practices for enabling secure, managed, outbound-only internet access from private resources.

No community discussion yet for this question.