Question 1hardmultiple choice
Full question →SAA-C03 · topic practice
NAT Gateway practice questions
Use this page to practise SAA-C03 NAT Gateway practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about NAT Gateway
NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.
Static NAT, dynamic NAT and PAT behaviour.
Inside local, inside global, outside local and outside global address meanings.
How NAT affects connectivity between private networks and public destinations.
How to troubleshoot NAT rules, ACL matches and interface direction.
Practice set
NAT Gateway questions
20 questions · select your answer, then reveal the explanation
Question 2hardmultiple choice
Full question →A media processing workflow in private subnets downloads large amounts of data from S3 through a NAT gateway. NAT data processing charges are high. What should the architect use to reduce cost? The architecture review board prefers a managed AWS-native control.
Question 3hardmultiple choice
Full question →A batch analytics job currently uses two NAT gateways in each of three Availability Zones, but only one private subnet per AZ needs outbound internet access. What should the architect review first?
Question 4hardmultiple choice
Full question →A batch analytics job currently uses two NAT gateways in each of three Availability Zones, but only one private subnet per AZ needs outbound internet access. What should the architect review first? The design must avoid adding custom operational scripts.
Question 5easymultiple choice
Full question →A backend API uses an AWS Lambda function behind API Gateway. The first requests after every weekly deployment experience cold starts, causing p95 latency spikes for a few minutes. Which configuration most directly prevents those cold starts for the published version?
Question 6hardmulti select
Full question →A CI system runs on EC2 instances in private subnets and uploads build artifacts to an S3 bucket. The security team wants to eliminate NAT Gateway costs, force all uploads to use TLS, and require SSE-KMS with an approved customer managed key. Which three changes should be made? Select three.
Question 7mediummultiple choice
Full question →A company hosts application servers in private subnets. They must access Amazon S3 and read secrets from AWS Secrets Manager, but they want to avoid internet egress. They currently use a NAT gateway and see high NAT-related costs. What change most directly reduces cost while keeping traffic on the AWS network?
Question 8mediummultiple choice
Full question →A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.
Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.
Which architecture best meets these requirements?
Question 9mediummultiple choice
Full question →A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.
Which architecture best satisfies these requirements?
Question 10hardmulti select
Full question →A batch job runs on EC2 instances in isolated private subnets with no NAT Gateway. The job uses STS AssumeRole to access an operations account and then retrieves a secret from AWS Secrets Manager. After a network hardening change, both calls fail. Which two interface VPC endpoints should be created? Select two.
Question 11mediummultiple choice
Full question →A company hosts an internal HTTP API on an internal Network Load Balancer (NLB) in VPC A. A partner team in a separate AWS account needs access, but their VPC CIDR overlaps with VPC A, so VPC peering is not feasible.
Security requirements state the API must remain non-public (no internet-facing ALB/NLB) and access must use AWS private networking.
Which architecture best meets these requirements?
Question 12mediummultiple choice
Full question →A company hosts an application on EC2 instances in private subnets. The instances must (1) read objects from Amazon S3 and (2) retrieve secrets from AWS Secrets Manager. The team currently sends all outbound traffic through a NAT gateway to reach both services. They want to reduce monthly cost while keeping traffic private (no internet egress) and without changing application logic. Which change is the most cost-effective?
Question 13mediummultiple choice
Full question →A company runs an application on EC2 instances in private subnets. The instances must access Amazon S3, and the team currently routes all outbound traffic to the internet through a NAT Gateway. Monthly NAT Gateway charges increased significantly, even though the application only needs to call S3 (not access other public internet services). Which change will most directly reduce NAT Gateway charges while keeping S3 access working?
Question 14easymultiple choice
Full question →A company runs EC2 instances in private subnets and needs to access Amazon S3 objects without using a NAT gateway. They want the traffic to stay within AWS private networking as much as possible (no internet egress). Which VPC endpoint type should they create for Amazon S3?
Question 15mediummultiple choice
Full question →A company runs an application in private subnets (no inbound internet). The application must access Amazon S3 and AWS Secrets Manager endpoints without routing through the public internet and without exposing the instances to NAT gateways due to cost. Security requirements also state that only the required VPC traffic should be allowed to reach AWS services.
Which architecture best satisfies these requirements?
Question 16mediummultiple choice
Full question →A game streaming service must use UDP for real-time gameplay traffic. For external firewall allowlisting, the service requires stable, static IP addresses. The TLS handshake must be handled end-to-end by the application servers (the load balancer must not terminate TLS). Which AWS load balancing option best fits these requirements?
Question 17hardmultiple choice
Full question →A dev sandbox currently uses two NAT gateways in each of three Availability Zones, but only one private subnet per AZ needs outbound internet access. What should the architect review first? The design must avoid adding custom operational scripts.
Question 18hardmultiple choice
Full question →A dev sandbox currently uses two NAT gateways in each of three Availability Zones, but only one private subnet per AZ needs outbound internet access. What should the architect review first?
Question 19mediummulti select
Full question →A containerized service runs in private subnets and retrieves secrets from AWS Secrets Manager and configuration parameters from AWS Systems Manager Parameter Store on startup. A NAT Gateway is currently used only for these AWS API calls, and the security team wants to eliminate that recurring charge. Which two endpoints should be added? Select two.
Question 20hardmulti select
Full question →A latency-sensitive telemetry service uses a custom TCP protocol on EC2 instances in private subnets. The service must preserve the client source IP for rate limiting, avoid HTTP header inspection, and keep per-request overhead as low as possible. Which changes should the team make? Select three.
Watch out for
Common NAT Gateway exam traps
- ▸PAT allows many inside hosts to share one public address by using port numbers.
- ▸NAT rules depend on correct inside and outside interface configuration.
- ▸The ACL used for NAT identifies traffic to translate; it is not always a security filtering ACL.
- ▸Static NAT maps one private address to one public address, while PAT overloads translations.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused NAT Gateway sessions
Start a NAT Gateway only practice session
Every question in these sessions is drawn from the NAT Gateway domain — nothing else.
Related practice questions
Related SAA-C03 topic practice pages
Move into related areas when this topic feels solid.
SAA-C03 VPC practice questions
Practise SAA-C03 questions linked to SAA-C03 VPC.
SAA-C03 S3 lifecycle policy questions
Practise SAA-C03 questions linked to SAA-C03 S3 lifecycle policy questions.
SAA-C03 RDS Multi-AZ questions
Practise SAA-C03 questions linked to SAA-C03 RDS Multi-AZ questions.
SAA-C03 IAM policy practice questions
Practise SAA-C03 questions linked to SAA-C03 IAM policy.
SAA-C03 Route 53 failover questions
Practise SAA-C03 questions linked to SAA-C03 Route 53 failover questions.
SAA-C03 CloudFront practice questions
Practise SAA-C03 questions linked to SAA-C03 CloudFront.
SAA-C03 NAT gateway questions
Practise SAA-C03 questions linked to SAA-C03 NAT gateway questions.
SAA-C03 VPC endpoint questions
Practise SAA-C03 questions linked to SAA-C03 VPC endpoint questions.
SAA-C03 Auto Scaling practice questions
Practise SAA-C03 questions linked to SAA-C03 Auto Scaling.
SAA-C03 disaster recovery questions
Practise SAA-C03 questions linked to SAA-C03 disaster recovery questions.
SAA-C03 high availability questions
Practise SAA-C03 questions linked to SAA-C03 high availability questions.
SAA-C03 cost optimization questions
Practise SAA-C03 questions linked to SAA-C03 cost optimization questions.
Frequently asked questions
- What does the SAA-C03 exam test about NAT Gateway?
- NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just NAT Gateway questions in a focused session?
- Yes — the session launcher on this page draws every question from the NAT Gateway domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other SAA-C03 topics?
- Use the topic links above to move to related areas, or go back to the SAA-C03 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the SAA-C03 exam covers. They are not copied from any real exam or dump site.
Track your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸PAT allows many inside hosts to share one public address by using port numbers.
- ▸NAT rules depend on correct inside and outside interface configuration.
- ▸The ACL used for NAT identifies traffic to translate; it is not always a security filtering ACL.
- ▸Static NAT maps one private address to one public address, while PAT overloads translations.