AWS Certified SysOps Administrator – Associate (legacy) — Question 821

A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the Internet?

Answer options

• A. Use the internet gateway with a private IP
• B. Allow outbound traffic in the security group for port 80 to allow internet updates
• C. The private subnet can never connect to the internet
• D. Use NAT with an elastic IP

Correct answer: D

Explanation

To allow instances in a private subnet to securely connect to the internet for software patches without exposing them to inbound connections, a NAT gateway or NAT instance with an Elastic IP must be deployed in the public subnet. An internet gateway (Option A) requires a public IP on the instance to route traffic directly, which is not applicable to private subnets. Modifying security groups (Option B) alone does not provide internet routing, and private subnets can indeed access the internet via NAT (Option C).