A company hosts an application on EC2 instances in private subnets. The instances must (1) read objects from Amazon S3 and (2) retrieve secrets from AWS Secrets Manager. The team currently sends all outbound traffic through a NAT gateway to reach both services. They want to reduce monthly cost while keeping traffic private (no internet egress) and without changing application logic. Which change is the most cost-effective?

Keep the NAT gateway, but add AWS WAF rules to block non-service outbound requests to reduce NAT usage.

WAF rules don’t control arbitrary outbound TCP connections initiated from EC2 instances. NAT gateway charges are driven by actual outbound traffic volume (data processed) and active connections, not by WAF policy. Unless the instances themselves stop making those outbound calls, the NAT gateway still processes the traffic and continues to incur charges.

Disable IPv4 on the VPC subnets and rely on IPv6-only egress to reduce NAT gateway costs.

NAT gateways are used specifically for private IPv4 egress to reach the internet or other networks. Switching to IPv6-only does not inherently eliminate the cost drivers for private service connectivity; it also requires a correct egress architecture for reaching AWS services and may introduce other components/changes. This does not directly address the most direct cost lever: using VPC endpoints to avoid NAT for calls to S3 and Secrets Manager.

Replace the NAT gateway with a VPC firewall appliance instance to proxy outbound calls and reduce NAT fees.

Using a self-managed proxy/firewall appliance adds additional compute cost, scaling/availability overhead, and operational burden (patching, upgrades, monitoring). It also does not provide the same purpose-built, service-specific private connectivity model that VPC endpoints provide for S3 and Secrets Manager, so it is unlikely to be more cost-effective than adding the correct endpoints.

What does this SAA-C03 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: Create a Gateway VPC endpoint for S3 and an Interface VPC endpoint for Secrets Manager, and ensure the subnet route tables / endpoint routing directs those service calls to the endpoints instead of the NAT gateway. — The best way to avoid NAT gateway charges for private access to AWS services is to route service traffic through VPC endpoints. Create a Gateway VPC endpoint for Amazon S3 so S3 API calls use route-table entries (S3 prefix list) instead of the NAT path, and create an Interface VPC endpoint for AWS Secrets Manager so Secrets Manager API calls use private ENIs (with private DNS if configured). Because the EC2 application continues to call the same AWS endpoints (S3 and Secrets Manager APIs), there is no required application-logic change. As a result, NAT gateway data processing for these service calls drops substantially (often to zero for that traffic), reducing monthly cost while keeping traffic private. Keeping the NAT gateway means the instances still send S3 and Secrets Manager requests through the NAT path, so NAT charges persist. WAF cannot prevent the NAT gateway from processing outbound requests that the instances actually make. Disabling IPv4/using IPv6-only is not a direct substitute for endpoint-based private service connectivity and may require additional egress design changes. Replacing NAT with a self-managed proxy/firewall appliance adds operational complexity and cost and is not as straightforward or typically as cost-efficient as using managed VPC endpoints for S3 and Secrets Manager.

What should I do if I get this SAA-C03 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.