AWS Certified Solutions Architect – Associate (SAA-C03) — Question 658

A solutions architect creates a VPC that includes two public subnets and two private subnets. A corporate security mandate requires the solutions architect to launch all Amazon EC2 instances in a private subnet. However, when the solutions architect launches an EC2 instance that runs a web server on ports 80 and 443 in a private subnet, no external internet traffic can connect to the server.

What should the solutions architect do to resolve this issue?

Answer options

• A. Attach the EC2 instance to an Auto Scaling group in a private subnet. Ensure that the DNS record for the website resolves to the Auto Scaling group identifier.
• B. Provision an internet-facing Application Load Balancer (ALB) in a public subnet. Add the EC2 instance to the target group that is associated with the ALEnsure that the DNS record for the website resolves to the ALB.
• C. Launch a NAT gateway in a private subnet. Update the route table for the private subnets to add a default route to the NAT gateway. Attach a public Elastic IP address to the NAT gateway.
• D. Ensure that the security group that is attached to the EC2 instance allows HTTP traffic on port 80 and HTTPS traffic on port 443. Ensure that the DNS record for the website resolves to the public IP address of the EC2 instance.

Correct answer: B

Explanation

Deploying an internet-facing Application Load Balancer (ALB) in the public subnets allows it to receive external internet traffic and route it to the EC2 instances in the private subnets. A NAT gateway only supports outbound-initiated connections and cannot accept incoming web requests from the internet. Additionally, EC2 instances in private subnets do not have public IP addresses, making direct DNS resolution to the instance impossible.