AWS Certified SysOps Administrator – Associate — Question 41

A SysOps administrator is attempting to download patches from the internet into an instance in a private subnet. An internet gateway exists for the VPC, and a NAT gateway has been deployed on the public subnet; however, the instance has no internet connectivity. The resources deployed into the private subnet must be inaccessible directly from the public internet.

Public Subnet (10.0.1.0/24) Route Table

Destination Target -
10.0.0.0/16 local
0.0.0.0/0 IGW

Private Subnet (10.0.2.0/24) Route Table

Destination Target -
10.0.0.0/16 local

What should be added to the private subnet’s route table in order to address this issue, given the information provided?

Answer options

• A. 0.0.0.0/0 IGW
• B. 0.0.0.0/0 NAT
• C. 10.0.1.0/24 IGW
• D. 10.0.1.0/24 NAT

Correct answer: B

Explanation

The correct answer is B because adding a route for 0.0.0.0/0 to the NAT gateway allows instances in the private subnet to access the internet for downloading patches while keeping them secure from direct internet access. The other options are incorrect because using an IGW (options A and C) would expose the private subnet to the public internet, and option D does not provide the necessary route for internet access.