AWS Certified Solutions Architect – Associate (SAA-C03) — Question 362

A company runs a public three-tier web application in a VPC. The application runs on Amazon EC2 instances across multiple Availability Zones. The EC2 instances that run in private subnets need to communicate with a license server over the internet. The company needs a managed solution that minimizes operational maintenance.

Which solution meets these requirements?

Answer options

• A. Provision a NAT instance in a public subnet. Modify each private subnet's route table with a default route that points to the NAT instance.
• B. Provision a NAT instance in a private subnet. Modify each private subnet's route table with a default route that points to the NAT instance.
• C. Provision a NAT gateway in a public subnet. Modify each private subnet's route table with a default route that points to the NAT gateway.
• D. Provision a NAT gateway in a private subnet. Modify each private subnet's route table with a default route that points to the NAT gateway.

Correct answer: C

Explanation

An AWS NAT gateway is a fully managed service that automatically scales and requires minimal administrative overhead, unlike self-managed NAT instances which require manual patching and scaling. To facilitate internet connectivity, the NAT gateway must be placed in a public subnet with a route to an Internet Gateway, making Option C the correct architecture. Option D is incorrect because a NAT gateway placed in a private subnet cannot connect to the internet.