Question 1,300 of 1,705
Network DesignmediumMultiple SelectObjective-mapped

Quick Answer

The answer is a public subnet for the web tier, a NAT Gateway, and an Internet Gateway. This combination is correct because the Internet Gateway enables inbound traffic from the internet to the public subnet, while the NAT Gateway, placed in that public subnet, allows instances in private subnets—such as the application tier—to initiate outbound connections to download patches without exposing those private instances to inbound internet traffic. On the AWS Certified Advanced Networking Specialty ANS-C01 exam, this scenario tests your understanding of multi-tier VPC design with public and private subnets, specifically how to segment traffic while maintaining controlled outbound access. A common trap is confusing a NAT Gateway with an Egress-Only Internet Gateway, which only works for IPv6, or assuming a VPC Peering or Direct Connect can provide internet access—they cannot. Memory tip: think of the NAT Gateway as a "one-way door" for private subnets—outbound only, never inbound.

ANS-C01 Network Design Practice Question

This ANS-C01 practice question tests your understanding of network design. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A financial services company is designing a VPC with multiple tiers: web, application, and database. The web tier must be accessible from the internet, but the application and database tiers must not have direct internet access. The company needs to allow the application tier to download patches from the internet. Which THREE components should be included in the design? (Choose three.)

Question 1mediummulti select
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Internet Gateway (IGW)

An internet gateway allows inbound traffic to the public subnet. NAT Gateway enables outbound internet access for private subnets. A public subnet for the web tier is necessary for internet-facing ALB. VPC Peering is for connecting VPCs, not internet access. Direct Connect is for dedicated on-premises connection. Egress-only Internet Gateway is for IPv6 only.

Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Direct Connect virtual interface

    Why it's wrong here

    Direct Connect provides private connectivity to on-premises, not internet access for patches.

  • VPC Peering connection

    Why it's wrong here

    VPC Peering connects VPCs, not for internet access.

  • Internet Gateway (IGW)

    Why this is correct

    IGW is required for the public subnet to receive internet traffic.

    Related concept

    CIDR notation defines the prefix length.

  • NAT Gateway in a public subnet

    Why this is correct

    NAT Gateway allows instances in private subnets to initiate outbound internet traffic.

    Related concept

    CIDR notation defines the prefix length.

  • Public subnet for the web tier

    Why this is correct

    A public subnet with a route to the IGW is needed for the web tier.

    Related concept

    CIDR notation defines the prefix length.

Common exam traps

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Detailed technical explanation

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Key takeaway

Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related ANS-C01 subnetting questions on CIDR, address ranges, and subnet selection.

Related practice questions

Related ANS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ANS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ANS-C01 question test?

Network Design — This question tests Network Design — CIDR notation defines the prefix length..

What is the correct answer to this question?

The correct answer is: Internet Gateway (IGW) — An internet gateway allows inbound traffic to the public subnet. NAT Gateway enables outbound internet access for private subnets. A public subnet for the web tier is necessary for internet-facing ALB. VPC Peering is for connecting VPCs, not internet access. Direct Connect is for dedicated on-premises connection. Egress-only Internet Gateway is for IPv6 only.

What should I do if I get this ANS-C01 question wrong?

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related ANS-C01 subnetting questions on CIDR, address ranges, and subnet selection.

What is the key concept behind this question?

CIDR notation defines the prefix length.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

5 more ways this is tested on ANS-C01

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company is designing a network for a multi-tier application that must meet compliance requirements. The architecture includes a VPC with public, private, and database subnets. Which TWO actions should be taken to ensure the database subnets are not directly accessible from the internet? (Select TWO.)

medium
  • A.Attach an Internet Gateway to the database subnets.
  • B.Create a NAT Gateway in the database subnets.
  • C.Associate a security group that denies inbound traffic from 0.0.0.0/0.
  • D.Configure a network ACL on the database subnets to deny inbound traffic from 0.0.0.0/0.
  • E.Place the database subnets in private subnets.

Why D: Options A and D are correct because a public subnet must not be used for databases, and a proper network ACL on the database subnet can deny inbound from 0.0.0.0/0. Option B is wrong because a NAT Gateway in the database subnet would still allow outbound but not inbound; however, placing NAT in database subnet is not best practice. Option C is wrong because security groups are stateful and allow return traffic, but a deny rule in network ACL is needed. Option E is wrong because IGW in database subnet would expose it.

Variation 2. A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, the application tier must be accessible only from the web tier, and the database tier must be accessible only from the application tier. Which architecture meets these requirements?

medium
  • A.Place each tier in a separate subnet and use network ACLs to allow traffic between tiers
  • B.Place each tier in a separate subnet and use security groups to allow traffic between tiers
  • C.Place all tiers in the same subnet and use security groups to control traffic
  • D.Place all tiers in a public subnet and use a NAT gateway for the application and database tiers

Why B: Placing each tier in separate subnets and using security groups to control inbound traffic between tiers is the standard approach. Using network ACLs is less granular and not stateful. VPC endpoints are for AWS services, not for tier-to-tier communication. A single subnet with NAT would not isolate tiers.

Variation 3. A company is designing a network for a multi-tier application. The web tier must be accessible from the internet, and the application tier must only be accessible from the web tier. Which architecture should they use?

medium
  • A.Web servers in private subnets with a NAT Gateway for outbound traffic, and application servers in public subnets
  • B.Web servers in public subnets with an Internet Gateway, and application servers in private subnets with security groups allowing traffic only from the web tier
  • C.All servers in a single VPC with VPC Peering to another VPC
  • D.Web servers and application servers in public subnets, each with their own security group

Why B: Option A is correct because public subnets for web servers with Internet Gateway and private subnets for app servers with no direct internet access is standard. Option B is wrong because placing app servers in public subnets exposes them. Option C is wrong because NAT Gateway is for outbound, not inbound. Option D is wrong because VPC Peering is not needed.

Variation 4. A company is designing a network for a three-tier application that must be PCI DSS compliant. The web tier must be accessible from the internet, the application tier must only be accessible from the web tier, and the database tier must only be accessible from the application tier. All tiers are in the same VPC. What is the MOST secure way to implement this?

easy
  • A.Use a VPN between the web and application tiers and between application and database tiers.
  • B.Place all tiers in the same private subnet and use security groups for isolation.
  • C.Place web tier in public subnets, application and database tiers in private subnets. Use security groups to allow only necessary traffic between tiers.
  • D.Place all tiers in public subnets and use network ACLs to restrict traffic.

Why C: Option A is correct because separate public and private subnets with security groups restricting traffic between tiers provide the required isolation. Option B is wrong because network ACLs are stateless and harder to manage for this use case. Option C is wrong because a single subnet does not provide isolation. Option D is wrong because a VPN is unnecessary for intra-VPC traffic.

Variation 5. A company is designing a network for a three-tier web application. The web tier must be accessible from the internet, while the application and database tiers must be in private subnets. The company wants to minimize the number of load balancers. Which design should be used?

easy
  • A.Place an internal Application Load Balancer in a private subnet and use a NAT gateway for internet access.
  • B.Place an internet-facing Network Load Balancer in a public subnet and use it for all tiers.
  • C.Place an internet-facing Application Load Balancer in a public subnet, web tier instances in public subnets, and app/database instances in private subnets.
  • D.Place an internet-facing Application Load Balancer in a private subnet.

Why C: Option C is correct because an internet-facing Application Load Balancer (ALB) in a public subnet can receive internet traffic and forward it to web tier instances in public subnets, while the application and database tiers remain in private subnets with no direct internet access. This design uses a single load balancer to handle all external traffic, minimizing the number of load balancers while maintaining security boundaries.

Last reviewed: Jun 20, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.