Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 101 discussion

NAT Instances - OUTDATED BUT CAN STILL APPEAR IN THE EXAM! However, given that A provides the newer option of NAT Gateway, then A is the correct answer. B would be correct if NAT Gateway wasn't an option.

The correct answer is option A. To enable Internet access for the private subnets, the solutions architect should create three NAT gateways, one for each public subnet in each Availability Zone (AZ). NAT gateways allow private instances to initiate outbound traffic to the Internet but do not allow inbound traffic from the Internet to reach the private instances. The solutions architect should then create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ. This will allow instances in the private subnets to access the Internet through the NAT gateways in the public subnets.

NAT Gateways are much better here as they can easily scale and provide high availability. NAT instances cant provide scalability and HA. Internet Gateway is 2-way and not suitable here. Egress-only is used for IPv6.

You have to create 3 NAT gateways but in the private subnet. Public and Private Subnets are the name of the concept . A public subnet is a subnet with a route to the internet gateway , private subnet doesn't have a route to the internet gateway. In this case the private subnets must have the NAT Gateway/NAT Instances , not the public subnet because if we are defined a subnet as public it means that this subnet has a route to the IG.

Ans A - it can only be A or B and NAT Gateways are preferred over NAT Instances.

the correct answer is A, to connect a private subnet to the internet using internet gateways is irrelevant, you have to use either NAT gateway or NAT instance, and NAT gateway is the better choice.

Nat instances can do the same except it's not cost effective also it need a lot of managment, going with nat gateways makes more sense

in Azure there is 1 NAT GW multi AZ, 1 per network, I think this is example for AWS to change

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html

The best solution is to create a NAT gateway in each public subnet (one per availability zone), and update the route tables for the private subnets to send internet traffic to the NAT gateway. NAT gateways allow private subnets to access the internet for things like software updates, without exposing those instances directly to the internet. An egress-only internet gateway would allow outbound access, but also allow inbound internet traffic, which is not desired for the private subnets.

"Egress" means outbound connection, remove D. "Second gateway", remove C. Now has only A and B. The different between A versus B is "1 NAT gateway, 1 for public subnet in each AZ" (A) and "1 NAT gateway, 1 for private subnet in each AZ" (B). Choose A.

By creating a NAT gateway in each public subnet, the private subnets can route their Internet-bound traffic through the NAT gateways. This allows EC2 in the private subnets to download software updates and access other resources on the Internet. Additionally, a separate private route table should be created for each AZ. The private route tables should have a default route that forwards non-VPC traffic (0.0.0.0/0) to the corresponding NAT gateway in the same AZ. This ensures that the private subnets use the appropriate NAT gateway for Internet access. B is incorrect because NAT instances require manual management and configuration compared to NAT gateways, which are a fully managed service. NAT instances are also being deprecated in favor of NAT gateways. C is incorrect because creating a second internet gateway on a private subnet is not a valid solution. Internet gateways are associated with public subnets and cannot be directly associated with private subnets. D is incorrect because egress-only internet gateways are used for IPv6 traffic.

NAT Gateway will be created Public Subnet and Provide access to Private Subnet

A is correct. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html

Now NAT Instances is avoided by AWS. Then choose the NAT Gateway

A: NAT Gateway

NAT Gateway - AWS-managed NAT, higher bandwidth, high availability, no administration