AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
An operations team runs an Auto Scaling group of Linux EC2 instances in two private subnets (one in each Availability Zone) of a VPC. The instances must occasionally download patches from public YUM repositories and read data from an S3 bucket. Each subnet currently uses its own NAT gateway, and the hourly NAT gateway charges are higher than all data-processing fees combined. The team must lower network costs while ensuring that outbound connectivity continues if either Availability Zone becomes unavailable. Which solution meets these requirements while following AWS best practices?
Remove the NAT gateways and create an interface VPC endpoint for AWS Systems Manager; configure Patch Manager to download updates through the endpoint.
Attach an egress-only internet gateway to the VPC and add a default route from each private subnet to the gateway.
Create a gateway VPC endpoint for Amazon S3 and replace each NAT gateway with a small NAT instance in the corresponding Availability Zone. Disable source/destination checks on the instances and update the private route tables to use the new NAT instances.
Replace both NAT gateways with a single NAT gateway in one Availability Zone and point the default route of both private subnets to that gateway.
A gateway VPC endpoint lets instances access Amazon S3 without traversing a NAT device, removing that portion of the traffic from any hourly or data-processing charge. Replacing each managed NAT gateway with a small NAT instance in the same Availability Zone eliminates the NAT gateway hourly fee yet preserves zonal redundancy: if one AZ fails, instances in the surviving AZ still have a local NAT instance for internet-bound traffic. NAT instances cost less per hour than NAT gateways and support the required outbound access when sized for the workload.
A single shared NAT gateway lowers hourly cost but introduces cross-AZ data charges and creates a single point of failure, violating the availability requirement. An egress-only internet gateway only supports IPv6 traffic, so IPv4 YUM repository access would fail. An interface endpoint for Systems Manager does not provide general internet access and cannot reach public YUM repositories, so patching would be interrupted.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a gateway VPC endpoint, and how does it help reduce costs?
Open an interactive chat with Bash
What is the difference between a NAT gateway and a NAT instance?
Open an interactive chat with Bash
Why is using a single NAT gateway across two Availability Zones considered a bad practice?
Open an interactive chat with Bash
What is a gateway VPC endpoint?
Open an interactive chat with Bash
Why are NAT instances more cost-effective than NAT gateways?
Open an interactive chat with Bash
Why is cross-AZ data transfer a concern in the solution?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .