Q31 — AWS SAA-C03 Ch.1

Question 31 of 65 | ← Chapter 1

Q31. A solutions architect is designing a VPC with public and private subnets. The VPC and subnets use IP 4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zone (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets. The private subnets require access to the internet to allow Amazon EC2 instances to download software updates. What should the solutions architect do to enable Intrnet access for the private subnets?

Correct Answer: A. Create three NAT gateways, one for each public subnet in each AZ.Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.

Explanation

To enable internet access for the instances in the private subnets, a common design pattern is to use Network Address Translation (NAT) gateways in the public subnets. NAT gateways allow instances in the private subnets to connect to the internet without exposing their private IP addresses. In this scenario, creating three NAT gateways, one for each public subnet in each AZ, and then creating a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ is the correct approach. The NAT gateways must be associated with an Elastic IP address so that they maintain a static public IP address. Option B is incorrect because creating NAT gateways in the private subnet does not provide internet access for the private instances. It's important to create the NAT gateways in the public subnet. Option C is incorrect because creating another internet gateway on the private subnet is not recommended as it's not a secure and scalable solution. Option D is incorrect because egress-only internet gateways only allow outbound traffic from instances in a private subnet to the internet, but they do not allow inbound traffic from the internet to instances in the private subnet. Therefore, it doesn't help in this scenario where instances in the private subnet need to download software updates from the internet.