Answer-first summary for fast verification
Answer: Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **NAT Gateway** is a managed AWS service that provides outbound internet connectivity for instances in private subnets while preventing inbound connections from the internet. 2. **Security**: NAT Gateway provides a secure way for private instances to access the internet without exposing them directly. The MySQL instances in private subnets can retrieve data from third-party providers without having public IP addresses. 3. **No operational overhead**: NAT Gateway is a fully managed service by AWS, so there's no need to manage or patch instances like with NAT instances. 4. **High availability**: NAT Gateway is automatically deployed in a highly available manner within an Availability Zone. 5. **Proper routing**: By placing the NAT Gateway in public subnets and modifying the private subnet route table to direct internet-bound traffic to it, you create a secure outbound-only connection. **Why other options are incorrect:** **Option A (NAT instance):** - Requires manual management, patching, and scaling - Increases operational overhead (contrary to requirements) - Not as highly available as NAT Gateway - Requires managing EC2 instances **Option C (Internet Gateway):** - Would require instances in private subnets to have public IP addresses - Exposes MySQL instances directly to the internet, compromising security - Allows inbound connections, which is a security risk - Doesn't provide the necessary outbound-only connectivity **Option D (Virtual Private Gateway):** - Used for VPN connections to on-premises networks - Not designed for internet access - Would not provide connectivity to third-party internet services - More complex setup than needed **Key AWS Concepts:** - **Private subnets** should not have direct internet access via Internet Gateway - **NAT Gateway** provides secure outbound-only internet access - **Managed services** reduce operational overhead - **Security best practice**: Keep database instances in private subnets with no public IP addresses
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has created a multi-tier application for its ecommerce website. The website uses an Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing information that is hosted on the internet by a third-party provider. A solutions architect must devise a strategy that maximizes security without increasing operational overhead.
What should the solutions architect do to meet these requirements?
A
Deploy a NAT instance in the VPC. Route all the internet-based traffic through the NAT instance.
B
Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.
C
Configure an internet gateway and attach it to the VPC. Modify the private subnet route table to direct internet-bound traffic to the internet gateway.
D
Configure a virtual private gateway and attach it to the VPC. Modify the private subnet route table to direct internet-bound traffic to the virtual private gateway.