IT Certification exam information exchange, brain dumps discussions sharing.
You are not logged in. Please login or register.
Share Test → Amazon Certifications → AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 251
An Amazon EC2 instance is located in a private subnet in a new VPC. This subnet does not have outbound internet access, but the EC2 instance needs the ability to download monthly security updates from an outside vendor.
What should a solutions architect do to meet these requirements?
B. Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.
This approach will allow the EC2 instance to access the internet and download the monthly security updates while still being located in a private subnet. By creating a NAT gateway and placing it in a public subnet, it will allow the instances in the private subnet to access the internet through the NAT gateway. And then, configure the private subnet route table to use the NAT gateway as the default route. This will ensure that all outbound traffic is directed through the NAT gateway, allowing the EC2 instance to access the internet while still maintaining the security of the private subnet.
NAT gateway does not allow internet on it's own. It needs internet gateway too. None of the answers make sense
refer below link
https://aws.amazon.com/about-aws/whats-new/2021/06/aws-removes-nat-gateways-dependence-on-internet-gateway-for-private-communications/
lol, thats for 'private connections'
yes, the nat gateway on its own does not allow connection to the internet. But the question specifies that it has been placed in a public subnet. public subnets are public because they have access to the internet via an internet gateway.
https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html
Public subnet – The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet.
Private subnet – The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.
Both B and C have caveats but are both viable:
C - NAT Instance is used as a NAT device instead of NAT gateway, but it's still viable option
B - Have 2 redundant components - IGW and public subnet, and NAT gateway still would route traffic to IGW, and if VPC is a custom VPC routing has to be set up
A NAT Gateway should have one interface in each network it is connected to. I don't understand what it means when they say it is located either in the private or in the public network. It should be in both. Therefore, B and D do not really make sense.
I choose D over B because there is a requirement to access the internet and although it is possible for the NAT to exist without an internet gateway, the later is still needed when internet access is required which is the case in this scenario.
Internet Gateway is required anyway to access the internet.
Option B makes more sense: Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.
B. Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.
A. provides direct internet access to the private subnet, which is not desired in this case as the goal is to restrict outbound internet access.
B. allows the EC2 in the private subnet to access the internet through the NAT gateway, which acts as a proxy. It provides controlled outbound internet access while maintaining the security of the private subnet.
C. is similar to using a NAT gateway, but it involves using a NAT instance. NAT instances require more manual configuration and management compared to NAT gateways, making them a less preferred option.
D. combines the use of an internet gateway and a NAT instance, which is not necessary. It introduces unnecessary complexity and adds a NAT instance that requires additional management.
Overall, option B is the most appropriate solution as it utilizes a NAT gateway placed in a public subnet to enable controlled outbound internet access for the EC2 instance in the private subnet.
NAT Gateways are preferred over NAT Instances by AWS and in general.
Option B meets the reqiurements, hence B is right choice.
D would have been the answer if NAT gateway is installed in public subnet and not where EC2 is located. None of the answers are correct.
why not C?
Because NAT Gateways are preferred over NAT Instances by AWS and in general.
I have yet to find a situation where a NAT Instance would be more applicable than NAT Gateway which is fully managed and is overall an easier solution to implement - both in AWS questions or the real world.
Require NAT gateway
Answer explained here https://medium.com/@tshemku/aws-internet-gateway-vs-nat-gateway-vs-nat-instance-30523096df22
NAT Gateway is right choice
https://www.islever.com/discussions/amazon/view/59966-exam-aws-certified-solutions-architect-associate-saa-c02/
Share Test → Amazon Certifications → AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 251
Note: This forum is a platform for users to share insights and discuss exam-related topics. We do not provide authentic exam questions or answers. The content here is contributed by community members and is meant for collaborative learning and discussion purposes only. Users are encouraged to refer to official sources for accurate exam materials.