AWS Certified Solutions Architect – Associate (SAA-C02) — Question 512

A company is running an application on Amazon EC2 instances hosted in a private subnet of a VPC. The EC2 instances are configured in an Auto Scaling group behind an Elastic Load Balancer (ELB). The EC2 instances use a NAT gateway for outbound internet access. However, the EC2 instances are not able to connect to the public internet to download software updates.
What are the possible root causes of this issue? (Choose two.)

Answer options

• A. The ELB is not configured with a proper health check.
• B. The route tables in the VPC are configured incorrectly.
• C. The EC2 instances are not associated with an Elastic IP address.
• D. The security group attached to the NAT gateway is configured incorrectly.
• E. The outbound rules on the security group attached to the EC2 instances are configured incorrectly.

Correct answer: B, E

Explanation

Incorrectly configured VPC route tables can prevent traffic from the private subnet from reaching the NAT gateway, or prevent the NAT gateway's public subnet from routing traffic to the Internet Gateway. Additionally, if the security group outbound rules on the EC2 instances do not allow traffic to the internet, the instances will not be able to fetch updates. NAT gateways do not have security groups, and EC2 instances in a private subnet do not require public Elastic IP addresses when utilizing a NAT gateway.