Q58 — AWS DVA-C02 Ch.2
Question 58 of 100 | ← Chapter 2
A developer created an AWS Lambda function to retrieve data from a public API endpoint and process it. The Lambda function is configured to connect to a VPC’s private subnet. An Internet Gateway is attached to the VPC. The VPC uses default network ACLs and security group configurations. The developer finds the Lambda function cannot access the public API. The public API is confirmed accessible externally, but the Lambda function cannot reach it. How should the developer resolve this connectivity issue?
- A. Ensure the network ACL allows outbound traffic to the public internet.
- B. Ensure the security group allows outbound traffic to the public internet.
- C. Ensure outbound traffic from the private subnet is routed to a public NAT gateway. ✓
- D. Ensure outbound traffic from the private subnet is routed to a new Internet Gateway.
Correct Answer: C. Ensure outbound traffic from the private subnet is routed to a public NAT gateway.
Explanation
Lambda functions placed in a private subnet require a NAT gateway (or NAT instance) to initiate outbound connections to the internet, because private subnets lack direct internet routing. An Internet Gateway enables internet access only for resources in public subnets (those with a route table pointing to the IGW). Since the Lambda function resides in a private subnet, its outbound traffic must be routed through a NAT gateway in a public subnet. Network ACLs and security groups alone cannot enable internet egress from a private subnet without proper routing. Therefore, Option C is correct.