AWS Certified Solutions Architect – Associate (SAA-C02) — Question 239

A company has created a multi-tier application for its ecommerce website. The website uses an Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing information that is hosted on the internet by a third-party provider. A solutions architect must devise a strategy that maximizes security without increasing operational overhead.
What should the solutions architect do to meet these requirements?

Answer options

• A. Deploy a NAT instance in the VPC. Route all the internet-based traffic through the NAT instance.
• B. Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.
• C. Configure an internet gateway and attach it to the VPC. Modify the private subnet route table to direct internet-bound traffic to the internet gateway.
• D. Configure a virtual private gateway and attach it to the VPC. Modify the private subnet route table to direct internet-bound traffic to the virtual private gateway.

Correct answer: B

Explanation

The correct answer is B because deploying a NAT gateway allows the MySQL database instances in the private subnets to securely access the internet for retrieving data without exposing them directly to it. Option A is not ideal as NAT instances can be more complex to manage and may not provide the same level of resilience as a NAT gateway. Options C and D are incorrect as they would expose the private subnets directly to the internet, which violates the security requirements.