Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 251 discussion

B. Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route. This approach will allow the EC2 instance to access the internet and download the monthly security updates while still being located in a private subnet. By creating a NAT gateway and placing it in a public subnet, it will allow the instances in the private subnet to access the internet through the NAT gateway. And then, configure the private subnet route table to use the NAT gateway as the default route. This will ensure that all outbound traffic is directed through the NAT gateway, allowing the EC2 instance to access the internet while still maintaining the security of the private subnet.

B. Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route. Explanation: NAT Gateway: NAT (Network Address Translation) gateway is a managed service provided by AWS that allows EC2 instances in private subnets to access the internet while preventing inbound traffic from directly accessing them. You place the NAT gateway in a public subnet with an associated internet gateway, allowing it to send traffic to the internet. Private Subnet Route Table: Configure the route table of the private subnet to route all outbound traffic (0.0.0.0/0) through the NAT gateway. This allows instances in the private subnet to access the internet through the NAT gateway while maintaining their private IP addresses and security.

A - if you "configure the private subnet route table to use the internet gateway" then it's no longer a private subnet B - Correct (you place NAT GW in a public subnet and add it to the private subnet's route table) C - NAT instance is deprecated, and it would still in a private subnet where it doesn't have Internet access D - NAT instance is deprecated, and in that answer it is created but not even used

yes, the nat gateway on its own does not allow connection to the internet. But the question specifies that it has been placed in a public subnet. public subnets are public because they have access to the internet via an internet gateway.

https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html Public subnet – The subnet has a direct route to an internet gateway. Resources in a public subnet can access the public internet. Private subnet – The subnet does not have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet. Both B and C have caveats but are both viable: C - NAT Instance is used as a NAT device instead of NAT gateway, but it's still viable option B - Have 2 redundant components - IGW and public subnet, and NAT gateway still would route traffic to IGW, and if VPC is a custom VPC routing has to be set up

A NAT Gateway should have one interface in each network it is connected to. I don't understand what it means when they say it is located either in the private or in the public network. It should be in both. Therefore, B and D do not really make sense. I choose D over B because there is a requirement to access the internet and although it is possible for the NAT to exist without an internet gateway, the later is still needed when internet access is required which is the case in this scenario.

Internet Gateway is required anyway to access the internet. Option B makes more sense: Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.

B. Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.

A. provides direct internet access to the private subnet, which is not desired in this case as the goal is to restrict outbound internet access. B. allows the EC2 in the private subnet to access the internet through the NAT gateway, which acts as a proxy. It provides controlled outbound internet access while maintaining the security of the private subnet. C. is similar to using a NAT gateway, but it involves using a NAT instance. NAT instances require more manual configuration and management compared to NAT gateways, making them a less preferred option. D. combines the use of an internet gateway and a NAT instance, which is not necessary. It introduces unnecessary complexity and adds a NAT instance that requires additional management. Overall, option B is the most appropriate solution as it utilizes a NAT gateway placed in a public subnet to enable controlled outbound internet access for the EC2 instance in the private subnet. NAT Gateways are preferred over NAT Instances by AWS and in general.

Option B meets the reqiurements, hence B is right choice.

D would have been the answer if NAT gateway is installed in public subnet and not where EC2 is located. None of the answers are correct.

why not C?

Require NAT gateway

Answer explained here https://medium.com/@tshemku/aws-internet-gateway-vs-nat-gateway-vs-nat-instance-30523096df22

NAT Gateway is right choice

https://www.examtopics.com/discussions/amazon/view/59966-exam-aws-certified-solutions-architect-associate-saa-c02/