AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A company has created a multi-tier application for its ecommerce website. The website uses an Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing information that is hosted on the internet by a third-party provider. A solutions architect must devise a strategy that maximizes security without increasing operational overhead.
What should the solutions architect do to meet these requirements?
Other
Community
UAnonymous
A
Deploy a NAT instance in the VPC. Route all the internet-based traffic through the NAT instance.
B
Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.
C
Configure an internet gateway and attach it to the VPC. Modify the private subnet route table to direct internet-bound traffic to the internet gateway.
D
Configure a virtual private gateway and attach it to the VPC. Modify the private subnet route table to direct internet-bound traffic to the virtual private gateway.
Explanation:
Explanation
Correct Answer: B
Why Option B is correct:
- NAT Gateway is a managed AWS service that provides outbound internet connectivity for instances in private subnets while preventing inbound connections from the internet.
- Security: NAT Gateway provides a secure way for private instances to access the internet without exposing them directly. The MySQL instances in private subnets can retrieve data from third-party providers without having public IP addresses.
- No operational overhead: NAT Gateway is a fully managed service by AWS, so there's no need to manage or patch instances like with NAT instances.
- High availability: NAT Gateway is automatically deployed in a highly available manner within an Availability Zone.
- Proper routing: By placing the NAT Gateway in public subnets and modifying the private subnet route table to direct internet-bound traffic to it, you create a secure outbound-only connection.
Why other options are incorrect:
Option A (NAT instance):
- Requires manual management, patching, and scaling
- Increases operational overhead (contrary to requirements)
- Not as highly available as NAT Gateway
- Requires managing EC2 instances
Option C (Internet Gateway):
- Would require instances in private subnets to have public IP addresses
- Exposes MySQL instances directly to the internet, compromising security
- Allows inbound connections, which is a security risk
- Doesn't provide the necessary outbound-only connectivity
Option D (Virtual Private Gateway):
- Used for VPN connections to on-premises networks
- Not designed for internet access
- Would not provide connectivity to third-party internet services
- More complex setup than needed
Key AWS Concepts:
- Private subnets should not have direct internet access via Internet Gateway
- NAT Gateway provides secure outbound-only internet access
- Managed services reduce operational overhead
- Security best practice: Keep database instances in private subnets with no public IP addresses
Comments
Loading comments...