Question #1389
A company hosts a multi-tier application in a VPC, with Amazon EC2 instances deployed in private subnets across multiple Availability Zones. These instances require internet access to download security updates from an external server. The company wants a fully managed solution that reduces administrative overhead.
Which solution fulfills these requirements?
Deploy a NAT instance in a public subnet. Update the route tables for the private subnets to direct internet-bound traffic to the NAT instance.
Deploy a NAT instance in a private subnet. Configure the private subnet route tables to route internet traffic through the NAT instance.
Create a NAT gateway in a public subnet. Update the private subnet route tables to route default internet traffic via the NAT gateway.
Create a NAT gateway in a private subnet. Configure the private subnet route tables to send internet traffic to the NAT gateway.
Explanation
The correct answer is C. Here's why:
- NAT Gateway vs. NAT Instance: NAT gateways are fully managed by AWS, require no maintenance, and automatically scale, aligning with the requirement to reduce administrative overhead. NAT instances (Options A/B) require manual management.
- Subnet Placement: NAT gateways must be deployed in a public subnet to access the internet via an Internet Gateway (IGW). Options B/D incorrectly place NAT devices in private subnets, which cannot route to the IGW.
- Routing: Private subnets route tables must direct default internet-bound traffic (0.0.0.0/0) to the NAT gateway (Option C). Options A/B involve NAT instances, which are not fully managed.
Key Points:
1. Use NAT gateways (not instances) for fully managed solutions.
2. NAT gateways must reside in public subnets.
3. Route tables in private subnets must target the NAT gateway for internet traffic.
Answer
The correct answer is: C