Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 246 discussion

I think either the question or the answers are not formulated correctly because of this document: https://docs.aws.amazon.com/prescriptive-guidance/latest/load-balancer-stickiness/subnets-routing.html A - Might be possible but it's quite impractical B - Not needed as the setup described should work as is provided the SGs of the EC2 instances accept traffic from the ALB C - Update the route tables for the EC2 instances’ subnets to send 0.0.0.0/0 traffic through the internet gateway route - not needed as the EC2 instances would receive the traffic from the ALB ENIs. Add a rule to the EC2 instances’ security groups to allow outbound traffic to 0.0.0.0/0 - the default behaviour of the SG is to allow outbound traffic only. D - Create public subnets in each Availability Zone. Associate the public subnets with the ALB - if it's a internet facing ALB these should already be in place. Update the route tables for the public subnets with a route to the private subnets - no need as the local prefix entry in the route tables would take care of this point I'm 110% sure the question or answers or both are wrong. Prove me wrong! :)

I change my answer to 'D' because of following link: https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/

Can a EC2 in the private subnet sends traffic to the internet through ELB without using NAT gateway/instance? if it's only about responses to requests coming through the ELB then no, you don't need NAT. If on the other hand you expect that your instances will need to initiate connections as oppose to just sending responses to the requests then yes, you will have to use NAT. The key point is that response to a request is not a new connection and will be sent to where it came from, i.e. to the ELB. https://serverfault.com/questions/986447/can-a-ec2-in-the-private-subnet-sends-traffic-to-the-internet-through-elb-withou

D looks the best but still it must have a internet gateway and once it has internet gateway we must add the route table for private subnet to talk to the public subnet so by using the it should be able to access. I don't think lb can act like internet gateway

Considering these statements: -The EC2 instances are in private subnets. - However, the internet traffic is not reaching the EC2 instances. A reliable solution is D according to following link: https://repost.aws/knowledge-center/public-load-balancer-private-ec2 Answer C could not satisfy the requirements because only outbound traffic rules are mentionned

A - "NAT gateway" is "to allow [outbound] internet traffic", but this is about inbound traffic B - This is about outbound traffic while the problem is inbound C - This is about outbound traffic while the problem is inbound D - Sounds correct, though the "update the route tables" should not be required if both subnets are in same VPC

this is a bad formulated question with gaps, but my reason tells me that if you want to connect something from a private subnet to internet you need a NAT (instance or gateway, bastion). Creating public subnets in each Availability Zone and associating them with the Application Load Balancer (ALB) won't resolve the problem of allowing internet traffic to reach the private EC2 instances. Public subnets are typically used when you want your EC2 instances to have direct internet access, not when you want to keep them in private subnets with indirect access through a load balancer.

ption A (replace ALB with Network Load Balancer and add a NAT gateway) is not the most straightforward solution because it changes the load balancer type and introduces a NAT gateway, which might be unnecessary if the goal is to use an ALB for web traffic. ALBs are commonly used for internet-facing web applications. Option B (move EC2 instances to public subnets and modify security group rules) involves placing instances in public subnets, which is generally not recommended for security reasons. Additionally, it suggests modifying security group rules for outbound traffic, which might not be the best practice to resolve the issue. Option C (update route tables and security group rules) addresses the route table update, but it also suggests moving instances to public subnets, which is not ideal from a security perspective.

Create public subnets in each Availability Zone. Associate the public subnets with the ALB. Update the route tables for the public subnets with a route to the private subnets.

Option A is incorrect Internet traffic is http and https so it cant be configured to NLB Option B and option C is incorrect because senging 0.0.0.0/0 is not best practices Option D is correct because its the only option left. and updating the route tables for the public subnets with a route to the private subnets ensures internet access to EC2 instances in private subnet.

D. is the correct solution. By creating public subnets and associating them with the ALB, inbound internet traffic can reach the ALB. The route tables for the public subnets are updated to include a route to the private subnets, allowing traffic to reach the EC2 instances in the private subnets. This setup enables secure access to the application while allowing internet traffic to reach the EC2 instances through the ALB.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html

A. suggests using a different type of load balancer and configuring a NAT gateway, but it does not address the issue of internet traffic reaching the EC2 instances. B. suggests exposing the EC2 instances to the public internet, which may pose security risks and does not address the issue of inbound internet traffic reaching the instances. C. suggests configuring the EC2 instances to have outbound internet access, but it does not solve the problem of inbound internet traffic reaching the instances. D. is the correct solution. By creating public subnets and associating them with the ALB, inbound internet traffic can reach the ALB. The route tables for the public subnets are updated to include a route to the private subnets, allowing traffic to reach the EC2 instances in the private subnets. This setup enables secure access to the application while allowing internet traffic to reach the EC2 instances through the ALB.

Should be C It would normally make sense to segregate your ALBs into public or private zones by security group and target group, but this is configuration rather than architectural placement - there is nothing preventing you from adding a rule to route specific paths or ports to a public subnet from an ALB that has until then been serving private subnets only.

To attach Amazon EC2 instances that are located in a private subnet, first create public subnets

I vote with the option D.

D is not quite accurate because subnets in a VPC have a local route by default, meaning that all subnets are able to communicate with each other: "Every route table contains a local route for communication within the VPC. This route is added by default to all route tables". This question is poorly formulated.