AWS Certified SysOps Administrator – Associate — Question 311

A SysOps administrator is troubleshooting a VPC with public and private subnets that leverage custom network ACLs. Instances in the private subnet are unable to access the internet. There is an internet gateway attached to the public subnet. The private subnet has a route to a NAT gateway that is also attached to the public subnet. The Amazon EC2 instances are associated with the default security group for the VPC.

What is causing the issue in this scenario?

Answer options

• A. There is a network ACL on the private subnet set to deny all outbound traffic.
• B. There is no NAT gateway deployed in the private subnet of the VPC.
• C. The default security group for the VPC blocks all inbound traffic to the EC2 instances.
• D. The default security group for the VPC blocks all outbound traffic from the EC2 instances.

Correct answer: A

Explanation

Network ACLs are stateless, meaning outbound traffic must be explicitly allowed for instances to communicate. If the custom network ACL on the private subnet denies outbound traffic, the instances cannot reach the NAT gateway. The default security group allows all outbound traffic by default, and a NAT gateway must reside in a public subnet, which makes the other options incorrect.