Logo
AWS Certified Solutions Architect - Associate / Question #1120 of 1019

Question #1120

A solutions architect is designing a VPC with public and private subnets across three Availability Zones (AZs). The VPC uses IPv4 addressing, and each AZ contains one public and one private subnet. An internet gateway is attached to the VPC to provide internet access for resources in the public subnets. The private subnets must have restricted outbound internet access to allow Amazon EC2 instances to connect to an external API service securely.

What should the solutions architect implement to enable secure outbound internet access for the private subnets while ensuring high availability?

A

Deploy three NAT gateways, each in a separate public subnet across the three AZs. Configure a route table for each private subnet to direct non-VPC traffic to the NAT gateway in its respective AZ.
B

Launch three NAT instances, each in a separate private subnet across the three AZs. Configure a route table for each private subnet to direct non-VPC traffic to the NAT instance in its respective AZ.
C

Attach a second internet gateway to the VPC and associate it with the private subnets. Update the private subnet route tables to route non-VPC traffic through the second internet gateway.
D

Create a single egress-only internet gateway in one public subnet. Update all private subnet route tables to route non-VPC traffic through the egress-only internet gateway.

Explanation

The correct answer is A. NAT gateways are managed AWS services that provide secure outbound internet access for private subnets. Deploying one NAT gateway per AZ in public subnets ensures high availability (HA), as traffic from each private subnet uses the NAT gateway in its respective AZ. If one AZ fails, the other NAT gateways continue operating.

Why other options are incorrect:
- B: NAT instances in private subnets cannot access the internet without a public IP or route through a public subnet, violating architecture principles. Managing NAT instances also adds operational overhead.
- C: Internet gateways (IGWs) allow bidirectional traffic, exposing private subnets to inbound internet risks, which violates the security requirement.
- D: Egress-only internet gates work only with IPv6, but the VPC uses IPv4.

Key Points:
- Use NAT gateways (not instances) for HA and ease of management.
- NAT gateways must reside in public subnets with IGW access.
- Route tables for private subnets must target the NAT gateway in their AZ.

Answer

The correct answer is: A