AWS Certified Solutions Architect – Professional — Question 600

A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR
(20.0.1.0/24) along with the VPN gateway (vgw-123456) to connect to the user's data center. The user's data center has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet.
Which of the below mentioned options is not a valid entry for the main route table in this scenario?

Answer options

• A. Destination: 20.0.0.0/16 and Target: local
• B. Destination: 0.0.0.0/0 and Target: i-123456
• C. Destination: 172.28.0.0/12 and Target: vgw-123456
• D. Destination: 20.0.1.0/24 and Target: i-123456

Correct answer: D

Explanation

The VPC route table automatically includes a local route (20.0.0.0/16 to local) that governs all traffic destined within the VPC, meaning individual subnets like 20.0.1.0/24 cannot have their internal VPC traffic routed to a NAT instance. To allow outbound internet access, the NAT instance (i-123456) must be targeted by the default route (0.0.0.0/0) instead of an internal subnet range. Therefore, routing the VPC's own subnet range to the NAT instance is invalid.