AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An e-commerce company operates a VPC with two public and two private subnets split between eu-west-1a and eu-west-1b. Instances located in the private subnet in eu-west-1a cannot download operating-system updates from the internet. A NAT gateway was created in a public subnet in eu-west-1b, and the private subnet's route table sends 0.0.0.0/0 traffic to that gateway. Which action will restore internet access while following AWS best practices and making the fewest possible changes?
Associate the private subnet with a route table that already has a 0.0.0.0/0 route pointing to the internet gateway.
Create a NAT gateway in a public subnet in eu-west-1a and update the private subnet's default route to use this new gateway.
Modify the security group of the instances to allow outbound TCP 443 traffic to 0.0.0.0/0.
Attach a second Elastic IP address to the existing NAT gateway to increase throughput and retry the update.
A NAT gateway can serve only the private subnets that reside in the same Availability Zone. Sending traffic from eu-west-1a across the AZ boundary to a NAT gateway in eu-west-1b causes the return traffic to be dropped. Creating a NAT gateway in the public subnet of eu-west-1a and pointing the private subnet's default route to that gateway restores connectivity and aligns with the recommended design of one NAT gateway per AZ.
Adding an extra Elastic IP to the existing gateway does not change its AZ limitation. Modifying the instances' security groups will not help because the traffic never reaches the NAT gateway. Associating the private subnet with a route table that sends 0.0.0.0/0 directly to an internet gateway would bypass network address translation and expose private addresses to the internet, which is neither functional nor secure.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a NAT Gateway and why is it necessary in private subnets?
Open an interactive chat with Bash
Why can't a NAT Gateway in eu-west-1b serve private subnets in eu-west-1a?
Open an interactive chat with Bash
Why is it considered unsecure to associate a private subnet's route table directly with an internet gateway?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .