Answer-first summary for fast verification
Answer: Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **Private subnet requirements**: The EC2 instance is in a private subnet, which means it cannot have a public IP address or direct internet access. 2. **NAT Gateway purpose**: A NAT Gateway allows instances in private subnets to initiate outbound connections to the internet while preventing inbound connections from the internet. 3. **Public subnet placement**: NAT Gateways must be placed in a public subnet with an internet gateway attached to the VPC. 4. **Route table configuration**: The private subnet's route table needs a default route (0.0.0.0/0) pointing to the NAT Gateway. 5. **Security updates**: This setup allows the EC2 instance to download security updates from external vendors while maintaining its private, secure status. **Why other options are incorrect:** **Option A**: Incorrect because attaching an internet gateway directly to a private subnet's route table would give the EC2 instance a public route, potentially exposing it to the internet and violating the private subnet requirement. **Option C**: Incorrect because NAT instances should be placed in public subnets, not in the same private subnet as the EC2 instance. NAT instances need internet access through an internet gateway. **Option D**: Incorrect because it creates unnecessary complexity (both internet gateway and NAT instance) and incorrectly configures the route table to use the internet gateway instead of the NAT instance for the private subnet. **Key AWS Concepts:** - **Private Subnet**: Subnet without a route to an internet gateway - **NAT Gateway**: Managed AWS service that enables instances in private subnets to connect to the internet - **Public Subnet**: Subnet with a route to an internet gateway - **Route Tables**: Control traffic routing between subnets and to external networks This solution maintains security by keeping the EC2 instance private while enabling necessary outbound internet access for updates.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
An Amazon EC2 instance is located in a private subnet in a new VPC. This subnet does not have outbound internet access, but the EC2 instance needs the ability to download monthly security updates from an outside vendor. What should a solutions architect do to meet these requirements?
A
Create an internet gateway, and attach it to the VPC. Configure the private subnet route table to use the internet gateway as the default route.
B
Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.
C
Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the NAT instance as the default route.
D
Create an internet gateway, and attach it to the VPC. Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the internet gateway as the default route.