Exam AWS Certified SysOps Administrator - Associate topic 1 question 120 discussion

The correct answer is C. Add a NAT gateway to a public subnet. In the route table for the private subnets, add a route to the NAT gateway. The application needs to be able to download updates from the internet, but it's running on EC2 instances in a private subnet. Private subnets do not have direct access to the internet. A NAT gateway allows instances in a private subnet to connect to the internet or other AWS services but prevent the internet from initiating a connection with those instances.

Internet Gateway: Public access (e.g., web server). NAT Gateway: Private access to the internet (e.g., backend or database servers)

C is correct

C is correct. The NAT Gateway is deployed in the Public subnet and the route table for the private subnet points all internet bound traffic to the NAT GW.

C, NAT Gateway must be created in a public subnet

https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html This one is definitely C.

B why? because a public subnet don't need nat gateway, only private subnets need a nat gateway to connect to the internet

To enable the EC2 instances in private subnets to download software updates from the internet, a SysOps administrator should add a NAT gateway to a private subnet, and in the route table for the private subnets, add a route to the NAT gateway. Therefore, option B is the correct answer. Option A is incorrect because adding an internet gateway to the VPC and a route to the internet gateway in the private subnet's route table would not work since the private subnet does not have a public IP address. Option C is incorrect because adding a NAT gateway to the public subnet and a route to the NAT gateway in the private subnet's route table would not work because the private subnet requires outbound traffic to traverse the NAT gateway, which would be difficult to implement in a security perspective. Option D is incorrect because having two internet gateways is not practical and would not resolve the issue of allowing private instances to download software updates from the internet.

Can't be D. Can have only one IGW per VPC. Need IGW and route to a NAT Gateway from private subnet.

CCCCCCCCC

C https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/

To meet the requirements of the company's security policy, the SysOps administrator should choose option B: Add a NAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway. In this scenario, the EC2 instances in the private subnets need access to the internet to download software updates, but they cannot be directly connected to the internet. A NAT gateway allows the EC2 instances to connect to the internet indirectly by routing their traffic through the NAT gateway, which is located in a public subnet. The NAT gateway has a direct connection to the internet, so it can access the internet on behalf of the EC2 instances. To set this up, the SysOps administrator should create a NAT gateway in a private subnet and then add a route to the NAT gateway in the route table for the private subnets. This will allow the EC2 instances in the private subnets to access the internet through the NAT gateway.

cccccccc

A Nat Gateway enables instances in private subnets to connect to the internet. The Nat gateway must be deployed in the public subnet with an Elastic IP. Once the resource is created, a route table associated with the the private subnet needs to point internet-bound traffic to the NAT gateway. https://towardsdatascience.com/connecting-to-an-ec2-instance-in-a-private-subnet-on-aws-38a3b86f58fb