AWS Certified SysOps Administrator – Associate — Question 103

A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private subnets. The company’s security policy requires all EC2 instances to be deployed in private subnets.

What should a SysOps administrator do to meet these requirements?

Answer options

• A. Add an internet gateway to the VPC. In the route table for the private subnets, add a route to the internet gateway.
• B. Add aNAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway.
• C. Add a NAT gateway to public subnet. In the route table for the private subnets, add a route to the NAT gateway.
• D. Add two internet gateways to the VPC. In the route tables for the private subnets and public subnets, add a route to each internet gateway.

Correct answer: C

Explanation

The correct answer is C, as a NAT gateway in a public subnet allows instances in private subnets to access the internet for downloading updates while keeping them secure. Option A is incorrect because an internet gateway does not support private subnet instances directly. Option B is wrong because the NAT gateway must reside in a public subnet to facilitate internet access. Option D is also incorrect since only one internet gateway is permitted per VPC.