Explanation:

Network ACLs (NACLs) act as stateless firewalls for subnets. Custom network ACLs deny all traffic by default until explicit allow rules are added. If there is a rule denying outbound traffic (or inbound return traffic), instances in the private subnet will fail to reach the internet despite having a proper route to the NAT Gateway. Note: A NAT Gateway is deployed in a public subnet, not a private subnet, so B is incorrect. Default security groups allow all outbound traffic, making D incorrect.

Question 34.

A SysOps administrator is troubleshooting a VPC with public and private subnets that leverage custom network ACLs. Instances in the private subnet are unable to access the internet. There is an internet gateway attached to the public subnet. The private subnet has a route to a NAT gateway that is also attached to the public subnet. The Amazon EC2 instances are associated with the default security group for the VPC. What is causing the issue in this scenario?

Exam-Like

Community

RRitesh

Last updated: May 3, 2026 at 18:37

There is a network ACL on the private subnet set to deny all outbound traffic.

There is no NAT gateway deployed in the private subnet of the VPC.

The default security group for the VPC blocks all inbound traffic to the EC2 instances.

The default security group for the VPC blocks all outbound traffic from the EC2 instances.

AWS Certified Cloud Practitioner

Get started today

Get started today

Comments (0)

Question 34.