AWS Certified Solutions Architect – Associate (SAA-C02) — Question 86

A company recently deployed a two-tier application in two Availability Zones in the us-east-1 Region. The databases are deployed in a private subnet while the web servers are deployed in a public subnet. An internet gateway is attached to the VPC. The application and database run on Amazon EC2 instances. The database servers are unable to access patches on the internet. A solutions architect needs to design a solution that maintains database security with the least operational overhead.
Which solution meets these requirements?

Answer options

• A. Deploy a NAT gateway inside the public subnet for each Availability Zone and associate it with an Elastic IP address. Update the routing table of the private subnet to use it as the default route.
• B. Deploy a NAT gateway inside the private subnet for each Availability Zone and associate it with an Elastic IP address. Update the routing table of the private subnet to use it as the default route.
• C. Deploy two NAT instances inside the public subnet for each Availability Zone and associate them with Elastic IP addresses. Update the routing table of the private subnet to use it as the default route.
• D. Deploy two NAT instances inside the private subnet for each Availability Zone and associate them with Elastic IP addresses. Update the routing table of the private subnet to use it as the default route.

Correct answer: A

Explanation

The correct answer is A because deploying a NAT gateway in the public subnet allows the database servers in the private subnet to access the internet for updates while maintaining security. Options B and D incorrectly place the NAT gateway or instances in the private subnet, which would not have internet access. Option C, while placing NAT instances in the public subnet, introduces unnecessary complexity and operational overhead compared to using a NAT gateway.