AWS Certified Solutions Architect – Associate (SAA-C03) — Question 226

An Amazon EC2 instance is located in a private subnet in a new VPC. This subnet does not have outbound internet access, but the EC2 instance needs the ability to download monthly security updates from an outside vendor.

What should a solutions architect do to meet these requirements?

Answer options

• A. Create an internet gateway, and attach it to the VPC. Configure the private subnet route table to use the internet gateway as the default route.
• B. Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.
• C. Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the NAT instance as the default route.
• D. Create an internet gateway, and attach it to the VPC. Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the internet gateway as the default route.

Correct answer: B

Explanation

The correct answer is B because a NAT gateway is specifically designed to provide outbound internet access for instances in a private subnet, allowing them to download updates without exposing them to the internet directly. Option A is incorrect as an internet gateway does not serve private subnets. Option C is not suitable because a NAT instance should be in a public subnet to function correctly. Option D inaccurately combines an internet gateway with a NAT instance in the same subnet, which is unnecessary and incorrect.