Courseiva
AWS Solutions Architect GuideAWS Solutions Architect Associate

SAA-C03 VPC Questions: Route Tables, NAT Gateways and Subnets

VPC questions appear in almost every SAA-C03 exam. Here is how to answer public vs private subnet scenarios, route table logic, and NAT gateway placement questions.

9 min read
12 sections
Courseiva Study Hub

Quick answer

VPC questions appear in almost every SAA-C03 exam. Here is how to answer public vs private subnet scenarios, route table logic, and NAT gateway placement questions.

In this guide

  1. 1.Public vs Private Subnets
  2. 2.The Internet Gateway
  3. 3.Route Tables
  4. 4.NAT Gateway
  5. 5.VPC Peering
  6. 6.NACL vs Security Group
  7. 7.VPC CIDR Block Planning — The Constraints the Exam Tests
  8. 8.Subnet CIDR Sizing — The Five Reserved Addresses
  9. 9.VPC Endpoints — When the Exam Says "Without Going Through the Internet"
  10. 10.VPC Peering vs Transit Gateway vs PrivateLink — Which the Scenario Requires
  11. 11.Default VPC — What Already Exists
  12. 12.Practice Question Sets

VPC questions are one of the highest-frequency topics on the AWS SAA-C03 exam. Every architecture scenario involves a VPC, and the exam regularly asks you to design a VPC correctly or identify what is wrong with an existing design.

Public vs Private Subnets

The distinction between public and private subnets is purely determined by the route table:

Public subnet — Has a route in its route table that sends 0.0.0.0/0 (all traffic) to an Internet Gateway (IGW). Resources in a public subnet can communicate directly with the internet if they also have a public IP.

Private subnet — Does not have a direct route to an Internet Gateway. Resources in a private subnet cannot be reached directly from the internet and cannot initiate connections to the internet without a NAT Gateway.

Exam trap: a subnet is not made public by where it is placed or by its name — it is made public by the route table. A subnet called "PublicSubnet" with no IGW route is effectively a private subnet.

The Internet Gateway

An Internet Gateway (IGW) is the component that enables communication between a VPC and the internet:

  • One IGW per VPC (attach once, used by all public subnets)
  • Horizontally scaled, redundant, highly available — no bandwidth limits
  • Performs NAT for instances with public IPs (translates private IP to public IP for outbound traffic)

Requirements for a resource to communicate with the internet:

  1. A public IP or Elastic IP assigned to the instance
  2. The subnet's route table has a route to the IGW
  3. Security group allows the traffic
  4. NACL allows the traffic

Route Tables

Every subnet must have exactly one route table. A route table contains route entries:

Destination Target
10.0.0.0/16 local (VPC internal traffic)
0.0.0.0/0 igw-xxxxxxxx (public subnet)

For a private subnet:

Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-xxxxxxxx (routes to NAT Gateway)

Longest prefix match applies — The most specific route is used. The local route handles all VPC-internal traffic. The 0.0.0.0/0 route handles everything else.

NAT Gateway

A NAT Gateway allows resources in a private subnet to initiate outbound connections to the internet while preventing unsolicited inbound connections:

  • Placed in a public subnet (it needs access to the IGW)
  • Elastic IP assigned to the NAT Gateway
  • Private subnet route table points 0.0.0.0/0 to the NAT Gateway

Common exam question: "EC2 instances in a private subnet need to download software updates from the internet. What should be configured?"

Answer: A NAT Gateway in a public subnet, with the private subnet's route table routing 0.0.0.0/0 to the NAT Gateway.

Exam trap: NAT Gateways are not free. For cost-sensitive scenarios with low outbound traffic, a NAT Instance (an EC2 instance configured as a NAT device) is cheaper but requires management.

VPC Peering

VPC peering connects two VPCs (same or different accounts, same or different regions) so resources can communicate using private IP addresses.

Key limitations:

  • Not transitive — if VPC A peers with B, and B peers with C, A cannot reach C through B
  • Cannot have overlapping CIDR blocks
  • Each pair of VPCs requires its own peering connection and route table entries in both VPCs

Exam trap: if the question describes three VPCs and says traffic should flow between all of them, VPC peering requires three peering connections (A↔B, B↔C, A↔C). Transit Gateway simplifies this for many VPCs.

NACL vs Security Group

NACL Security Group
Stateful? No (must allow return traffic) Yes (return traffic automatic)
Applied to Subnet Instance (NIC)
Rules Allow and Deny Allow only
Evaluation In order, rule number All rules evaluated

Practice SAA-C03 VPC questions with topology diagrams to build fast recognition of public/private subnet requirements.

VPC CIDR Block Planning — The Constraints the Exam Tests

When you create a VPC you pick a CIDR block and that decision is permanent in ways that bite you later. AWS enforces a /16 maximum (65,536 addresses) and a /28 minimum (16 addresses, 11 usable). You cannot change the primary CIDR block after the VPC is created. If you realise you need more space you can add secondary CIDR blocks — up to four additional ones — but the primary stays as-is.

The constraint that generates the most exam questions is non-overlapping CIDRs for peered VPCs. If VPC-A is 10.0.0.0/16 and VPC-B is 10.0.0.0/24, you cannot peer them because the ranges overlap. This is intentional — AWS needs unambiguous routing. A common exam scenario: a company has three VPCs all using 10.0.0.0/16 and wants to peer them. The answer is that they need to re-IP at least two of them before peering is possible, since each peered VPC must have a non-overlapping CIDR.

Secondary CIDR blocks have their own constraints: they cannot overlap with each other, they cannot overlap with the primary, and AWS restricts which secondary ranges can be attached depending on your primary range. The most common secondary block use case on the exam is adding a second range when pod-level networking for EKS exhausts the primary CIDR.

Subnet CIDR Sizing — The Five Reserved Addresses

Every subnet you create in a VPC loses five addresses to AWS reservations, regardless of the subnet size. AWS reserves them as follows:

  • .0 — Network address (standard networking convention)
  • .1 — VPC router (the default gateway for instances in this subnet)
  • .2 — DNS resolver (this IP is always the VPC CIDR base + 2)
  • .3 — Reserved for future AWS use
  • .255 — Broadcast address (AWS doesn't support broadcast, but the address is reserved)

This becomes exam-relevant with small subnets. A /28 has 16 total addresses. Subtract 5 reserved = 11 usable host IPs. If a question asks "how many EC2 instances can be launched in a /28 subnet," the answer is 11, not 14. Candidates who remember the five reservations but forget to subtract from 16 land on 11 by the right path; candidates who use 2^4 - 2 = 14 (the textbook host count formula ignoring AWS reservations) pick the wrong answer.

The DNS IP at VPC CIDR + 2 also shows up in troubleshooting questions. If your instances can't resolve DNS and you're checking security group rules, the outbound rule needs to allow UDP/TCP port 53 to the .2 address of your VPC CIDR range.

VPC Endpoints — When the Exam Says "Without Going Through the Internet"

Any SAA-C03 question that says a private subnet needs to reach S3 or DynamoDB "without going through the internet" is testing VPC endpoints. There are two endpoint types and the exam distinguishes them clearly.

Gateway endpoints work only with S3 and DynamoDB. They're free — no hourly charge, no per-GB charge. You create the endpoint and AWS adds a route to your route table pointing the service's prefix list to the endpoint. The endpoint policy controls which buckets or tables are accessible through it. Gateway endpoints are regional — they reach the service in the same region only.

Interface endpoints (powered by AWS PrivateLink) work with almost every other AWS service: SSM, Secrets Manager, CloudWatch Logs, EC2 API, STS, and so on. Each interface endpoint creates an ENI in your subnet with a private IP address. That ENI has an hourly cost (around $0.01/hour) plus a per-GB data processing fee. Interface endpoints support endpoint policies and also support private DNS, which means the service's default DNS name (e.g., ec2.us-east-1.amazonaws.com) resolves to the private ENI IP instead of the public endpoint.

The exam trap: a question asks for the "most cost-effective way to allow private subnet instances to access S3." If you pick NAT Gateway, you're paying per-GB for data that could go through a free gateway endpoint. Gateway endpoint is correct. If the service is something like Secrets Manager, a gateway endpoint isn't an option — you need an interface endpoint.

These three are frequently offered as answer choices for the same connectivity scenario, and they solve different problems.

VPC Peering connects two VPCs directly. The key limitation is that transitive routing doesn't work. If VPC-A peers with VPC-B, and VPC-B peers with VPC-C, traffic from VPC-A cannot reach VPC-C through VPC-B. You'd need a direct peering between A and C. This scales badly — connecting 10 VPCs requires up to 45 peering connections. Peering works across accounts and across regions. Cost is free for setup; standard data transfer charges apply.

Transit Gateway acts as a hub. All VPCs attach to the Transit Gateway as spokes, and the Transit Gateway routes between them. Transitive routing works because the Transit Gateway is the router — traffic from VPC-A to VPC-C goes through the Transit Gateway, not through VPC-B. It also handles VPN and Direct Connect attachments. The exam scenario that points to Transit Gateway: "a company has 20 VPCs that all need to communicate with each other and with an on-premises network." Full mesh peering would require 190 connections; Transit Gateway requires 20 attachments.

PrivateLink exposes a specific service endpoint to other VPCs without giving them access to the entire network. A SaaS vendor can expose a load balancer as a PrivateLink service; consumers in other VPCs create interface endpoints to access it without peering. The exam scenario: "Company A wants to allow Company B to access their API without exposing the rest of their VPC." PrivateLink is the answer, not peering.

Default VPC — What Already Exists

Every AWS account gets a default VPC in each region. The exam tests what's pre-configured:

  • The default VPC has a /16 CIDR (172.31.0.0/16)
  • Every subnet created by default is public — the route table includes a route to an Internet Gateway
  • An Internet Gateway is already attached
  • DHCP is configured with AWS's DNS and default hostname settings
  • The default security group allows all traffic between members of the same group

A question might describe these properties and ask what type of resource is configured this way — the answer is the default VPC.

If you delete the default VPC, you can recreate it. Go to the VPC console, select "Your VPCs," and choose "Create Default VPC." AWS recreates the VPC, subnets, IGW, and route tables. This is a recoverable mistake — the exam sometimes offers "deleting the default VPC is permanent" as a distractor.

Practice Question Sets

Working through real SAA-C03 questions is the fastest way to lock in how the exam phrases these scenarios. Pick a session that fits your time:

Session Questions Estimated time Link
Quick check 10 10–12 min Start →
Standard session 20 20–25 min Start →
Focused drill 30 30–40 min Start →
Deep study block 50 50–65 min Start →
Full mock exam 120 2–2.5 hours Start →

Practise SAA-C03 questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

SAA-C03 practice testAll SAA-C03 questions

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.