AWS Certified Solutions Architect – Professional — Question 665

A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet.
How can the instances in the private subnet connect to the internet?

Answer options

• A. The private subnet can never connect to the internet
• B. Use NAT with an elastic IP
• C. Use the internet gateway with a private IP
• D. Allow outbound traffic in the security group for port 80 to allow internet updates

Correct answer: B

Explanation

To allow instances in a private subnet to download patches from the internet without exposing them to inbound connections, a NAT device (gateway or instance) associated with an Elastic IP is required in the public subnet. An Internet Gateway cannot route traffic for instances that lack public IP addresses directly. Simply opening security group ports is insufficient without a valid route and NAT translation to the public internet.