AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

An Amazon EC2 instance is located in a private subnet in a new VPC. This subnet does not have outbound internet access, but the EC2 instance needs the ability to download monthly security updates from an outside vendor. What should a solutions architect do to meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Create an internet gateway, and attach it to the VPC. Configure the private subnet route table to use the internet gateway as the default route.

Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.

Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the NAT instance as the default route.

Create an internet gateway, and attach it to the VPC. Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the internet gateway as the default route.

Explanation:

Explanation

Correct Answer: B

Why Option B is correct:

Private subnet requirements: The EC2 instance is in a private subnet, which means it cannot have a public IP address or direct internet access.
NAT Gateway purpose: A NAT Gateway allows instances in private subnets to initiate outbound connections to the internet while preventing inbound connections from the internet.
Public subnet placement: NAT Gateways must be placed in a public subnet with an internet gateway attached to the VPC.
Route table configuration: The private subnet's route table needs a default route (0.0.0.0/0) pointing to the NAT Gateway.
Security updates: This setup allows the EC2 instance to download security updates from external vendors while maintaining its private, secure status.

Why other options are incorrect:

Option A: Incorrect because attaching an internet gateway directly to a private subnet's route table would give the EC2 instance a public route, potentially exposing it to the internet and violating the private subnet requirement.

Option C: Incorrect because NAT instances should be placed in public subnets, not in the same private subnet as the EC2 instance. NAT instances need internet access through an internet gateway.

Option D: Incorrect because it creates unnecessary complexity (both internet gateway and NAT instance) and incorrectly configures the route table to use the internet gateway instead of the NAT instance for the private subnet.

Key AWS Concepts:

Private Subnet: Subnet without a route to an internet gateway
NAT Gateway: Managed AWS service that enables instances in private subnets to connect to the internet
Public Subnet: Subnet with a route to an internet gateway
Route Tables: Control traffic routing between subnets and to external networks

This solution maintains security by keeping the EC2 instance private while enabling necessary outbound internet access for updates.

Powered ByGPT-5.2

Comments

Loading comments...