Question 1,464 of 1,705
Network ImplementationmediumMultiple ChoiceObjective-mapped

Configuring NAT Gateway for Outbound-Only Internet Access in Private Subnets

This ANS-C01 practice question tests your understanding of network implementation. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: internet Gateway (IGW). Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company is deploying a multi-tier web application in a VPC with public and private subnets. The web servers in the public subnets must be able to initiate outbound connections to the internet for software updates, but must not be directly accessible from the internet. Which configuration meets these requirements?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Attach an Internet Gateway to the VPC and add a default route to the Internet Gateway in the public subnet's route table.

For instances in public subnets, outbound internet access is provided by attaching an Internet Gateway (IGW) to the VPC and adding a default route to the IGW in the public subnet's route table. To prevent direct inbound access, you use security groups or network ACLs to block incoming traffic. Option C correctly describes this configuration. Option D is for private subnets, where instances need a NAT Gateway for outbound access and must not have public IPs, which contradicts the stem stating the web servers are in public subnets. Options A and B are incorrect because NAT instances and ALBs are not used for providing outbound internet access from public subnets directly.

Key principle: Internet Gateway (IGW)

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Deploy a NAT instance in a private subnet and add a default route to the NAT instance in the private subnet's route table.

    Why it's wrong here

    Incorrect. A NAT instance in a private subnet is used to provide outbound internet access for instances in private subnets, not public subnets. Moreover, the default route should be in the private subnet's route table, not the public subnet's.

  • Deploy an Application Load Balancer (ALB) in a public subnet and route outbound traffic through the ALB.

    Why it's wrong here

    Incorrect. An Application Load Balancer (ALB) is used for load balancing HTTP/HTTPS traffic, not for routing outbound internet traffic.

  • Attach an Internet Gateway to the VPC and add a default route to the Internet Gateway in the public subnet's route table.

    Why this is correct

    Correct. An Internet Gateway attached to the VPC and a default route to the IGW in the public subnet's route table allows instances in public subnets to initiate outbound connections to the internet. To prevent direct inbound access, security groups must be configured to block such traffic.

    Related concept

    Internet Gateway (IGW)

  • Deploy a NAT Gateway in a public subnet and add a default route to the NAT Gateway in the private subnet's route table.

    Why it's wrong here

    Incorrect. A NAT Gateway in a public subnet is used to provide outbound internet access for instances in private subnets. Since the web servers are in public subnets, a NAT Gateway is unnecessary; they can use the Internet Gateway directly. Additionally, the default route should be in the public subnet's route table, not the private subnet's.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap is that candidates often assume that to prevent direct inbound access, instances must be in private subnets and thus select a NAT Gateway. However, the question explicitly states the web servers are in public subnets, so an Internet Gateway is the correct component for outbound access, and inbound blocking is done via security groups, not by using NAT.

Detailed technical explanation

How to think about this question

A NAT Gateway uses source network address translation (SNAT) to map private IP addresses of instances in private subnets to its own Elastic IP address for outbound traffic, while dropping any unsolicited inbound traffic. Unlike a NAT instance, a NAT Gateway is a managed service that automatically scales up to 45 Gbps and does not require patching or failover scripts. In real-world scenarios, this configuration is common for multi-tier applications where web servers need to fetch updates from repositories like yum or apt without exposing them to direct internet access.

KKey Concepts to Remember

  • Internet Gateway (IGW)
  • Public Subnet
  • Security Group
  • Default Route

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Internet Gateway (IGW)

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

Visual reference

Inside (Private) PC-A 10.0.0.1 PC-B 10.0.0.2 NAT Router Outside (Public) 203.0.113.1 Inside Global Server PAT: many private IPs share one public IP via unique port numbers

What to study next

Got this wrong? Here's your next step.

Review internet Gateway (IGW), then practise related ANS-C01 questions on the same topic to reinforce the concept.

Related practice questions

Related ANS-C01 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free ANS-C01 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this ANS-C01 question test?

Network Implementation — This question tests Network Implementation — Internet Gateway (IGW).

What is the correct answer to this question?

The correct answer is: Attach an Internet Gateway to the VPC and add a default route to the Internet Gateway in the public subnet's route table. — For instances in public subnets, outbound internet access is provided by attaching an Internet Gateway (IGW) to the VPC and adding a default route to the IGW in the public subnet's route table. To prevent direct inbound access, you use security groups or network ACLs to block incoming traffic. Option C correctly describes this configuration. Option D is for private subnets, where instances need a NAT Gateway for outbound access and must not have public IPs, which contradicts the stem stating the web servers are in public subnets. Options A and B are incorrect because NAT instances and ALBs are not used for providing outbound internet access from public subnets directly.

What should I do if I get this ANS-C01 question wrong?

Review internet Gateway (IGW), then practise related ANS-C01 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Internet Gateway (IGW)

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More ANS-C01 practice questions

Last reviewed: Jul 4, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This ANS-C01 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the ANS-C01 exam.