SAA-C03 · topic practice

NAT Gateway practice questions

Practise SAA-C03 NAT and PAT questions covering address translation types, inside/outside interface roles, static vs dynamic vs PAT, and troubleshooting missing or incorrect translations.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: NAT Gateway

What the exam tests

What to know about NAT Gateway

NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.

Static NAT, dynamic NAT and PAT behaviour.

Inside local, inside global, outside local and outside global address meanings.

How NAT affects connectivity between private networks and public destinations.

How to troubleshoot NAT rules, ACL matches and interface direction.

Why learners struggle

Why NAT Gateway questions are commonly missed

NAT questions are missed when learners confuse the four address types (inside local, inside global, outside local, outside global) or misapply the interface direction. A translation rule can look correct but still fail if the ACL, interface, or direction is wrong.

  • ·Inside local vs inside global — inside local is the private source, inside global is the translated public address
  • ·PAT overloads — many sources share one public IP using unique port numbers
  • ·Interface direction — ip nat inside and ip nat outside must be on the correct interfaces
  • ·Static NAT vs dynamic NAT vs PAT — each serves a different use case
  • ·The NAT ACL identifies traffic to translate, not traffic to permit or deny
  • ·A missing translation can look like a routing problem if the interfaces are misconfigured

Watch out for

Common NAT Gateway exam traps

  • PAT allows many inside hosts to share one public address by using port numbers.
  • NAT rules depend on correct inside and outside interface configuration.
  • The ACL used for NAT identifies traffic to translate; it is not always a security filtering ACL.
  • Static NAT maps one private address to one public address, while PAT overloads translations.

Practice set

NAT Gateway questions

20 questions · select your answer, then reveal the explanation

Question 1mediummulti select
Read the full NAT/PAT explanation →

A service in private subnets downloads product images from Amazon S3 and stores job state in DynamoDB. A NAT Gateway is currently the only route to AWS services, and the monthly bill is dominated by NAT data processing charges. Which two changes will most directly reduce that cost? Select two.

Question 2hardmulti select
Read the full NAT/PAT explanation →

A serverless checkout API uses AWS Lambda behind API Gateway. Every weekday at 09:00 UTC, marketing triggers a predictable surge. The first few minutes after each surge show cold-start latency, but traffic volume is forecastable and the business wants stable p95 latency. Which two changes should the team implement? Select two.

Question 3mediummulti select
Read the full NAT/PAT explanation →

A workload runs in private subnets and must reach Amazon S3 and AWS Secrets Manager without using the internet or a NAT gateway. The team wants to keep the traffic on AWS private networking and avoid public IPs. Which two changes should the architect make? Select two.

Question 4easymultiple choice
Read the full NAT/PAT explanation →

Your application runs in private subnets with no NAT gateway. It needs to call AWS Secrets Manager to retrieve secrets. For private connectivity without internet egress, which VPC endpoint type should you create for AWS Secrets Manager?

Question 5mediummultiple choice
Read the full NAT/PAT explanation →

A service runs in private subnets. It must call AWS APIs (for example, S3 and Secrets Manager). The team currently sends all outbound traffic through a NAT Gateway, and NAT charges have become a major cost driver. The workload must not traverse the public internet. What change most directly reduces NAT Gateway cost while maintaining private connectivity to those AWS services?

Question 6hardmulti select
Read the full NAT/PAT explanation →

A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.

Question 7mediummultiple choice
Read the full NAT/PAT explanation →

A company hosts an application on EC2 instances in private subnets. The instances must (1) read objects from Amazon S3 and (2) retrieve secrets from AWS Secrets Manager. The team currently sends all outbound traffic through a NAT gateway to reach both services. They want to reduce monthly cost while keeping traffic private (no internet egress) and without changing application logic. Which change is the most cost-effective?

Question 8easymultiple choice
Read the full NAT/PAT explanation →

A company’s private workload in a VPC uploads objects to an S3 bucket. Security requires that S3 requests are allowed only when they traverse a specific S3 Gateway VPC Endpoint (vpce-0abc123example). Which change best enforces this restriction at the S3 bucket level?

Question 9easymultiple choice
Read the full NAT/PAT explanation →

A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?

Question 10hardmulti select
Read the full NAT/PAT explanation →

A startup has an HTTP API with highly unpredictable traffic from mobile devices. Each request performs lightweight validation, writes an event record, and triggers downstream notifications. The current EC2 fleet stays mostly idle, and the team wants to reduce infrastructure management and pay only for usage. Which two changes best fit the requirement? Select two.

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A web application runs in private subnets with no NAT gateway. It needs to retrieve credentials from AWS Secrets Manager at runtime. After a recent network hardening change, the application logs timeout errors when calling Secrets Manager.

Which change will most directly enable private connectivity to Secrets Manager while keeping the subnets NAT-free?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

An EC2 instance in a private subnet must access an S3 bucket that contains regulated exports for a image sharing application. The security team requires access to be allowed only when traffic comes through a specific VPC endpoint. What should the architect add to the bucket policy?

Question 13mediummultiple choice
Read the full NAT/PAT explanation →

A serverless API built with AWS Lambda serves latency-sensitive requests. The team observes intermittent slow responses during traffic ramp-ups and expects some users to hit the API immediately after a period of inactivity. Which configuration best reduces cold-start latency during these ramp-ups?

Question 14mediummulti select
Read the full NAT/PAT explanation →

An application runs in private subnets and must access Amazon S3, Amazon DynamoDB, and AWS Secrets Manager. The security team wants the traffic to stay on the AWS network and the finance team wants to eliminate NAT Gateway charges. Which three changes should they make? Select three.

Question 15hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, an application runs in private subnets without a NAT gateway and must retrieve a secret from AWS Secrets Manager. Security requires the traffic to stay on the AWS network and not traverse the public internet. What is the best solution?

Exhibit

{
  "subnet_route_table": [
    {"destination": "10.0.0.0/16", "target": "local"},
    {"destination": "0.0.0.0/0", "target": "-"}
  ],
  "dns_test": {
    "command": "nslookup secretsmanager.us-east-1.amazonaws.com",
    "result": "Name: secretsmanager.us-east-1.amazonaws.com\nAddress: 54.239.28.82"
  },
  "application_log": [
    "2026-04-18T12:10:04Z ERROR GetSecretValue timed out after 3000 ms",
    "2026-04-18T12:10:04Z INFO calling https://secretsmanager.us-east-1.amazonaws.com"
  ]
}
Question 16mediummultiple choice
Read the full NAT/PAT explanation →

An engineering team runs application servers in private subnets. The instances must download patches and software packages from Amazon S3, but the company does not want the traffic to traverse the internet or a NAT gateway. Which design should they use?

Question 17hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a company wants EC2 instances in private subnets to access Amazon S3 without using a NAT gateway, and bucket access must be allowed only when requests come through the approved VPC endpoint. Which design is the most appropriate?

Exhibit

Route table for private subnet:
Destination        Target
10.0.0.0/16        local
pl-68a54001        vpce-s3-gateway

S3 bucket policy draft:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "DenyRequestsNotFromEndpoint",
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": ["arn:aws:s3:::app-data", "arn:aws:s3:::app-data/*"],
      "Condition": {
        "StringNotEquals": {"aws:SourceVpce": "vpce-0a1b2c3d4e5f6a7b8"}
      }
    }
  ]
}

Application log:
GET s3://app-data/config.json failed before endpoint change
GET s3://app-data/config.json succeeded after endpoint change
Question 18hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, a workload in private subnets must reach only Amazon S3 and AWS Secrets Manager. The team wants to eliminate internet exposure for those calls and reduce NAT gateway charges. What change should be made?

Exhibit

Private subnet route table rtb-priv:
- 10.0.0.0/16 local
- 0.0.0.0/0 -> nat-0a12bc34

Application logs:
2026-04-20T10:14:11Z ERROR could not reach https://secretsmanager.us-east-1.amazonaws.com:443
2026-04-20T10:14:11Z ERROR timeout after 30s while downloading s3://company-artifacts-builds

Finance note:
"NAT data processing charges increased 42% last month."
Question 19hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, an EC2 application runs in private subnets with no NAT gateway and must retrieve a secret from AWS Secrets Manager. The secret uses a customer managed KMS key. Which change will allow the application to reach the service while keeping traffic off the internet?

Exhibit

VPC configuration:
- Subnet-Private-A route table: local 10.0.0.0/16 only
- Subnet-Private-B route table: local 10.0.0.0/16 only
- No 0.0.0.0/0 route to an Internet Gateway or NAT Gateway

Existing endpoints:
- com.amazonaws.us-east-1.s3 (Gateway endpoint)

Application log:
ERROR: Unable to retrieve secret arn:aws:secretsmanager:us-east-1:111122223333:secret:prod/api/db
ERROR: connect timeout to secretsmanager.us-east-1.amazonaws.com
ERROR: KMS Decrypt access not completed
Question 20hardmultiple choice
Read the full NAT/PAT explanation →

Based on the exhibit, your application runs entirely in private subnets and only needs to reach Amazon S3, Amazon DynamoDB, AWS Secrets Manager, and CloudWatch Logs. The monthly bill is dominated by NAT Gateway charges. Which change most directly reduces cost while preserving private connectivity to these AWS services?

Exhibit

VPC: vpc-0a1b2c3d
Private subnets: 10.0.10.0/24, 10.0.11.0/24
Route tables:
  10.0.10.0/24 -> 0.0.0.0/0 -> nat-07fabc123
  10.0.11.0/24 -> 0.0.0.0/0 -> nat-07fabc123
VPC Flow Logs (sample):
  10.0.10.45 -> 52.216.23.11 ACCEPT
  10.0.10.45 -> 54.239.28.85 ACCEPT
  10.0.11.18 -> 52.94.76.21 ACCEPT
Cost Explorer last 30 days:
  NATGateway-Hours: $31.20
  NATGateway-Bytes: $614.80
App requirement: no internet access is needed; only AWS service access is required.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused NAT Gateway sessions

Start a NAT Gateway only practice session

Every question in these sessions is drawn from the NAT Gateway domain — nothing else.

Related practice questions

Related SAA-C03 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAA-C03 exam test about NAT Gateway?
NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just NAT Gateway questions in a focused session?
Yes — the session launcher on this page draws every question from the NAT Gateway domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAA-C03 topics?
Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.