- A
Deploy a NAT instance in the public subnet and route traffic through it
Why wrong: A NAT instance requires an Elastic IP address, which is prohibited by the security team.
- B
Configure a proxy server in the public subnet and have the application server use the proxy
Why wrong: A proxy server in a public subnet would typically have a public IP, which is not allowed.
- C
Use AWS PrivateLink to connect to the payment gateway via a VPC Endpoint Service
PrivateLink enables private connectivity to services over the AWS network, avoiding public IPs and internet transit, meeting compliance requirements.
- D
Attach an Internet Gateway to the VPC and use a default route to 0.0.0.0/0 in the private subnet
Why wrong: Without a NAT device, private instances cannot initiate outbound traffic to the internet even with an IGW.
Quick Answer
The answer is to use AWS PrivateLink to connect to the payment gateway via a VPC Endpoint Service. This solution is correct because PrivateLink enables the application server in the private subnet to communicate with the third-party service using private IP addresses, completely avoiding traversal over the internet and eliminating the need for an Elastic IP or NAT gateway. By keeping traffic within the AWS network backbone, it satisfies PCI DSS compliance requirements for data in transit and resolves the security team’s auditing concerns about public IP exposure. On the ANS-C01 exam, this scenario tests your understanding of how PrivateLink provides secure, private connectivity to third-party services without internet gateways—a common trap is assuming a NAT Gateway or Transit Gateway is required for outbound-only traffic. Remember the mnemonic: “PrivateLink keeps it private, no public IP needed.”
ANS-C01 Network Design Practice Question
This ANS-C01 practice question tests your understanding of network design. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A financial services company must meet PCI DSS compliance requirements. The company's VPC contains a web server in a public subnet and an application server in a private subnet. The application server must communicate with a third-party payment gateway over the internet, but the security team prohibits using an Elastic IP address or a NAT gateway due to auditing concerns. Which solution satisfies these requirements?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
Use AWS PrivateLink to connect to the payment gateway via a VPC Endpoint Service
AWS PrivateLink allows the application server in the private subnet to connect to the third-party payment gateway via a VPC Endpoint Service without traversing the internet, using private IP addresses. This eliminates the need for an Elastic IP address or a NAT gateway, satisfying the security team's auditing concerns while meeting PCI DSS compliance requirements.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
Deploy a NAT instance in the public subnet and route traffic through it
Why it's wrong here
A NAT instance requires an Elastic IP address, which is prohibited by the security team.
- ✗
Configure a proxy server in the public subnet and have the application server use the proxy
Why it's wrong here
A proxy server in a public subnet would typically have a public IP, which is not allowed.
- ✓
Use AWS PrivateLink to connect to the payment gateway via a VPC Endpoint Service
Why this is correct
PrivateLink enables private connectivity to services over the AWS network, avoiding public IPs and internet transit, meeting compliance requirements.
Related concept
Read the scenario before looking for a memorised answer.
- ✗
Attach an Internet Gateway to the VPC and use a default route to 0.0.0.0/0 in the private subnet
Why it's wrong here
Without a NAT device, private instances cannot initiate outbound traffic to the internet even with an IGW.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often assume a NAT gateway or proxy is required for outbound internet access, but PrivateLink provides a private, internet-free connection to third-party services, directly addressing the auditing and compliance constraints.
Detailed technical explanation
How to think about this question
AWS PrivateLink uses VPC Endpoints powered by AWS PrivateLink, which enables private connectivity between VPCs and AWS services or third-party services via interface endpoints. The traffic stays within the AWS network, never traversing the public internet, and supports security groups and network ACLs for fine-grained access control. In a real-world PCI DSS scenario, this ensures that payment card data does not leave the AWS network, reducing the compliance scope and audit complexity.
KKey Concepts to Remember
- Read the scenario before looking for a memorised answer.
- Find the constraint that changes the correct option.
- Eliminate answers that are true in general but not in this case.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
- →
Network Design — study guide chapter
Learn the concepts, then practise the questions
- →
Network Design practice questions
Targeted practice on this topic area only
- →
All ANS-C01 questions
1,705 questions across all exam domains
- →
AWS Certified Advanced Networking Specialty ANS-C01 study guide
Full concept coverage aligned to exam objectives
- →
ANS-C01 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related ANS-C01 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Network Management and Operations practice questions
Practise ANS-C01 questions linked to Network Management and Operations.
Network Security, Compliance and Governance practice questions
Practise ANS-C01 questions linked to Network Security, Compliance and Governance.
Network Design practice questions
Practise ANS-C01 questions linked to Network Design.
Network Implementation practice questions
Practise ANS-C01 questions linked to Network Implementation.
ANS-C01 fundamentals practice questions
Practise ANS-C01 questions linked to ANS-C01 fundamentals.
ANS-C01 scenario practice questions
Practise ANS-C01 questions linked to ANS-C01 scenario.
ANS-C01 troubleshooting practice questions
Practise ANS-C01 questions linked to ANS-C01 troubleshooting.
Practice this exam
Start a free ANS-C01 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this ANS-C01 question test?
Network Design — This question tests Network Design — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: Use AWS PrivateLink to connect to the payment gateway via a VPC Endpoint Service — AWS PrivateLink allows the application server in the private subnet to connect to the third-party payment gateway via a VPC Endpoint Service without traversing the internet, using private IP addresses. This eliminates the need for an Elastic IP address or a NAT gateway, satisfying the security team's auditing concerns while meeting PCI DSS compliance requirements.
What should I do if I get this ANS-C01 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 24, 2026
This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.