Ultimate access to all questions.
Answer-first summary for fast verification
Answer: Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.
## Explanation **Correct Answer: A** ### Why Option A is Correct: 1. **NAT Gateway Architecture**: NAT gateways are the recommended AWS service for providing outbound internet access to private subnets while keeping instances secure from inbound internet connections. 2. **High Availability Design**: Creating one NAT gateway per Availability Zone (AZ) ensures high availability. If one AZ fails, the other AZs continue to provide internet access. 3. **Route Table Configuration**: Each private subnet needs a route table that routes non-VPC traffic (0.0.0.0/0) to the NAT gateway in its corresponding AZ. 4. **Public Subnet Placement**: NAT gateways must be placed in public subnets because they need to connect to the internet gateway for outbound internet access. ### Why Other Options are Incorrect: **Option B**: NAT instances are an older, less reliable solution that requires manual management and scaling. While they could work, NAT gateways are the AWS-managed, recommended solution that provides better availability and scalability. **Option C**: Internet gateways cannot be attached to private subnets. Internet gateways are VPC-level resources that provide bidirectional internet access, which would expose private instances to inbound connections from the internet, defeating the purpose of having private subnets. **Option D**: Egress-only internet gateways are designed for IPv6 traffic only, not IPv4. The question specifies that the VPC uses IPv4 CIDR blocks, so this solution would not work for IPv4 traffic. ### Key AWS Concepts: - **Private Subnets**: Subnets without a route to an internet gateway, providing security for instances that shouldn't be directly accessible from the internet. - **NAT Gateway**: AWS-managed service that allows instances in private subnets to initiate outbound connections to the internet while preventing inbound connections from the internet. - **Route Tables**: Control traffic routing within the VPC. Private route tables should route 0.0.0.0/0 traffic to the NAT gateway. - **High Availability**: Deploying NAT gateways across multiple AZs ensures resilience against AZ failures.
Author: LeetQuiz Editorial Team
No comments yet.
A solutions architect is designing a VPC with public and private subnets. The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zones (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets. The private subnets require access to the internet to allow Amazon EC2 instances to download software updates.
What should the solutions architect do to enable Internet access for the private subnets?
A
Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.
B
Create three NAT instances, one for each private subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT instance in its AZ.
C
Create a second internet gateway on one of the private subnets. Update the route table for the private subnets that forward non-VPC traffic to the private internet gateway.
D
Create an egress-only internet gateway on one of the public subnets. Update the route table for the private subnets that forward non-VPC traffic to the egress-only Internet gateway.