AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An Amazon ECS service runs on AWS Fargate in private subnets using the awsvpc network mode. Tasks continuously restart because health checks fail. Container logs captured in CloudWatch show the message:
ERROR dial tcp: lookup auth.example.com on 169.254.169.253:53: no such host
EC2 instances in a public subnet can reach the same domain, and the VPC already has DNS hostnames and DNS support enabled. Which change will allow the tasks to reach the external endpoint while adding the least additional cost?
Create an interface VPC endpoint for auth.example.com and add the endpoint to the service's security group.
Enable Auto-assign public IP for the ECS service and place the tasks in a subnet that routes 0.0.0.0/0 to an internet gateway.
Switch the service to bridge network mode and mount the host's resolv.conf inside the container.
Add a NAT gateway to each private subnet and add a default route to the NAT gateway.
Fargate tasks that run in private subnets cannot reach the public internet unless they either (1) are assigned a public IP address in a subnet with an internet gateway or (2) send traffic through a NAT gateway. Assigning each task a public IP (and ensuring the subnet is public) restores outbound DNS resolution and HTTPS access without introducing hourly NAT gateway charges.
Creating an interface VPC endpoint will not work because PrivateLink can only be used for AWS or partner services, not arbitrary public domains. Adding a NAT gateway would solve the problem but adds higher ongoing cost than public IPs. Changing to the bridge network mode does not affect DNS resolution for Fargate and would still leave the tasks without a route to the internet.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the awsvpc network mode in Amazon ECS?
Open an interactive chat with Bash
Why can't Fargate tasks in private subnets reach public internet domains by default?
Open an interactive chat with Bash
What is the difference between using a NAT gateway and assigning public IPs in terms of cost and functionality?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .