AWS Certified Solutions Architect – Professional — Question 168

A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses
CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance.
Which of the below mentioned entries is not required in NAT's security group for the database servers to connect to the Internet for software updates?

Answer options

• A. For Outbound allow Destination: 0.0.0.0/0 on port 443
• B. For Inbound allow Source: 20.0.1.0/24 on port 80
• C. For Inbound allow Source: 20.0.0.0/24 on port 80
• D. For Outbound allow Destination: 0.0.0.0/0 on port 80

Correct answer: C

Explanation

The correct answer is C, as inbound rules for the NAT instance should not include traffic from the public subnet to port 80, since the database servers in the private subnet require outbound rules to connect to the internet. Options A and D are necessary for outbound traffic, and option B is relevant for allowing inbound web traffic to the NAT from the private subnet.