AWS Certified Solutions Architect – Associate (SAA-C03) — Question 551

A company has created a multi-tier application for its ecommerce website. The website uses an Application Load Balancer that resides in the public subnets, a web tier in the public subnets, and a MySQL cluster hosted on Amazon EC2 instances in the private subnets. The MySQL database needs to retrieve product catalog and pricing information that is hosted on the internet by a third-party provider. A solutions architect must devise a strategy that maximizes security without increasing operational overhead.

What should the solutions architect do to meet these requirements?

Answer options

• A. Deploy a NAT instance in the VPC. Route all the internet-based traffic through the NAT instance.
• B. Deploy a NAT gateway in the public subnets. Modify the private subnet route table to direct all internet-bound traffic to the NAT gateway.
• C. Configure an internet gateway and attach it to the VPModify the private subnet route table to direct internet-bound traffic to the internet gateway.
• D. Configure a virtual private gateway and attach it to the VPC. Modify the private subnet route table to direct internet-bound traffic to the virtual private gateway.

Correct answer: B

Explanation

A NAT gateway is a fully managed AWS service that allows resources in private subnets to securely connect to the internet while preventing external hosts from initiating connections, satisfying the security and low operational overhead requirements. NAT instances require manual management and patching, which increases operational overhead. Directing traffic from private subnets directly to an internet gateway is insecure and invalid, while a virtual private gateway is used for VPN/Direct Connect connections rather than outbound public internet access.