AWS Certified Solutions Architect – Associate (SAA-C03) — Question 125

A solutions architect is designing a VPC with public and private subnets. The VPC and subnets use IPv4 CIDR blocks. There is one public subnet and one private subnet in each of three Availability Zones (AZs) for high availability. An internet gateway is used to provide internet access for the public subnets. The private subnets require access to the internet to allow Amazon EC2 instances to download software updates.
What should the solutions architect do to enable Internet access for the private subnets?

Answer options

• A. Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.
• B. Create three NAT instances, one for each private subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT instance in its AZ.
• C. Create a second internet gateway on one of the private subnets. Update the route table for the private subnets that forward non-VPC traffic to the private internet gateway.
• D. Create an egress-only internet gateway on one of the public subnets. Update the route table for the private subnets that forward non-VPC traffic to the egress-only Internet gateway.

Correct answer: A

Explanation

The correct answer is A because creating NAT gateways in each AZ allows instances in the private subnets to route traffic to the internet while keeping them secure. Options B and C are incorrect as NAT instances are not as scalable and a second internet gateway cannot be created in a private subnet. Option D is not appropriate because an egress-only internet gateway is used for IPv6 traffic, not IPv4.