jonsully1.dev

AWS Certifications Journey – VPCs, NAT Gateways & Private Subnets

Cover Image for AWS Certifications Journey – VPCs, NAT Gateways & Private Subnets
Photo by Matt Foxx  on Unsplash
John O'Sullivan
John O'Sullivan
Senior Full Stack Engineer
& DevOps Practitioner

❓ Practice Question

A company has an application that is running on Amazon EC2 instances in a VPC. The application needs access to download software updates from the internet. The VPC has public subnets and private subnets. The company’s security policy requires all EC2 instances to be deployed in private subnets.

What should a SysOps administrator do to meet these requirements?

A. Add an internet gateway to the VPC. In the route table for the private subnets, add a route to the internet gateway.
B. Add a NAT gateway to a private subnet. In the route table for the private subnets, add a route to the NAT gateway.
C. Add a NAT gateway to a public subnet. In the route table for the private subnets, add a route to the NAT gateway.
D. Add two internet gateways to the VPC. In the route table for the private subnets, add a route to the internet gateways.

✅ Correct Answer

C – Add a NAT gateway to a public subnet. In the route table for the private subnets, add a route to the NAT gateway.

🧠 Explanation

Instances in private subnets cannot access the internet unless routed through a NAT (Network Address Translation) device. The NAT gateway must be placed in a public subnet so that it can access the internet via the VPC's internet gateway.

Once the NAT gateway is in place, the private subnet's route table can be updated to forward traffic destined for the internet (0.0.0.0/0) to the NAT gateway. This setup allows instances in private subnets to initiate outbound communication with the internet (such as downloading software updates) while remaining unreachable from outside the VPC.

❌ Why the Other Answers Are Incorrect

  • A: Routing private subnet traffic directly to an internet gateway would expose the instances to inbound traffic, which violates the security policy.
  • B: NAT gateways must reside in public subnets so they can access the internet; placing them in private subnets will not work.
  • D: A VPC supports only one internet gateway, and even if it supported two, private subnets shouldn't route directly to an internet gateway.

🧩 Memory Hook

Private subnet? NAT in public subnet is your way out.

🧾 Flashcard

Q: How can EC2 instances in private subnets access the internet for software updates while remaining secure?
A: Use a NAT gateway in a public subnet and update the private subnet route table to point to it.

📎 Key Takeaways

  • Private subnets require a NAT device for secure outbound internet access.
  • NAT gateways must be launched in public subnets.
  • Route tables control the direction of traffic at the subnet level.
  • Internet gateways enable internet access only when used properly with routing rules and public subnets.

📚 Further Reading