SAP-C02 · topic practice

NAT Gateway practice questions

Practise SAP-C02 NAT and PAT questions covering address translation types, inside/outside interface roles, static vs dynamic vs PAT, and troubleshooting missing or incorrect translations.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: NAT Gateway

What the exam tests

What to know about NAT Gateway

NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.

Static NAT, dynamic NAT and PAT behaviour.

Inside local, inside global, outside local and outside global address meanings.

How NAT affects connectivity between private networks and public destinations.

How to troubleshoot NAT rules, ACL matches and interface direction.

Why learners struggle

Why NAT Gateway questions are commonly missed

NAT questions are missed when learners confuse the four address types (inside local, inside global, outside local, outside global) or misapply the interface direction. A translation rule can look correct but still fail if the ACL, interface, or direction is wrong.

  • ·Inside local vs inside global — inside local is the private source, inside global is the translated public address
  • ·PAT overloads — many sources share one public IP using unique port numbers
  • ·Interface direction — ip nat inside and ip nat outside must be on the correct interfaces
  • ·Static NAT vs dynamic NAT vs PAT — each serves a different use case
  • ·The NAT ACL identifies traffic to translate, not traffic to permit or deny
  • ·A missing translation can look like a routing problem if the interfaces are misconfigured

Watch out for

Common NAT Gateway exam traps

  • PAT allows many inside hosts to share one public address by using port numbers.
  • NAT rules depend on correct inside and outside interface configuration.
  • The ACL used for NAT identifies traffic to translate; it is not always a security filtering ACL.
  • Static NAT maps one private address to one public address, while PAT overloads translations.

Practice set

NAT Gateway questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a new microservices architecture on AWS. Each microservice must be independently deployable and scalable. The company expects unpredictable traffic patterns with sudden spikes. Which combination of AWS services should be used to build a decoupled, resilient system?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

A company has a centralized networking team that manages a shared VPC with multiple AWS Transit Gateway attachments. Application teams create VPCs in separate AWS accounts and want to connect to the shared VPC. The networking team needs to ensure that only authorized VPCs can connect to the shared VPC. What is the MOST secure and scalable way to manage this?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is migrating its on-premises Active Directory (AD) to AWS Managed Microsoft AD. The company has a hub-and-spoke VPC topology with a central transit gateway. The AD domain controllers must be deployed in two different AWS Regions for disaster recovery. The corporate security policy requires that all AD traffic between Regions must traverse the transit gateway and be inspected by a third-party firewall appliance deployed in the inspection VPC. Which architecture meets these requirements?

Question 4hardmulti select
Read the full NAT/PAT explanation →

A company has a data lake on Amazon S3 that is accessed by multiple business units via VPC endpoints. The security policy mandates that all access to the data lake must be encrypted in transit and originate from approved VPCs. The company has a central security account that manages AWS Network Firewall. Which combination of controls should be implemented to enforce this policy? (Choose TWO.)

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A company has multiple AWS accounts that each have their own VPCs with overlapping CIDR ranges. They want to use AWS Transit Gateway to connect these VPCs to a central network account. However, overlapping CIDRs prevent attachment. What is the MOST scalable solution?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A solutions architect is troubleshooting why EC2 instances launched in subnet-11111111 cannot access the internet. The subnet is in a VPC with an internet gateway attached. The route table for the subnet has a default route (0.0.0.0/0) pointing to the internet gateway. What is the MOST likely cause?

Network Topology
$ aws ec2 describe-vpcsregion us-east-1query 'Vpcs[0].VpcId'$ aws ec2 describe-subnetsfilters Name=vpc-idRefer to the exhibit."vpc-0abcd1234""Subnets": ["SubnetId": "subnet-11111111","CidrBlock": "10.0.1.0/24","MapPublicIpOnLaunch": false},"SubnetId": "subnet-22222222","CidrBlock": "10.0.2.0/24",
Question 7mediummulti select
Read the full NAT/PAT explanation →

A company is designing a new serverless application that uses AWS Lambda, Amazon DynamoDB, and Amazon API Gateway. The application must handle burst traffic and cannot lose any data. The company wants to use a dead-letter queue (DLQ) for failed Lambda invocations. Which TWO services can be used as a DLQ for Lambda? (Choose two.)

Question 8mediummultiple choice
Read the full NAT/PAT explanation →

A company deployed the above CloudFormation template. An EC2 instance launched in the PrivateSubnet needs to access the internet for software updates. Which action is required?

Exhibit

Refer to the exhibit.
{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Description": "VPC with public and private subnets",
  "Resources": {
    "VPC": {
      "Type": "AWS::EC2::VPC",
      "Properties": {
        "CidrBlock": "10.0.0.0/16"
      }
    },
    "PublicSubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "VpcId": { "Ref": "VPC" },
        "CidrBlock": "10.0.1.0/24",
        "MapPublicIpOnLaunch": true
      }
    },
    "PrivateSubnet": {
      "Type": "AWS::EC2::Subnet",
      "Properties": {
        "VpcId": { "Ref": "VPC" },
        "CidrBlock": "10.0.2.0/24"
      }
    }
  }
}
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a new hybrid cloud solution that requires low-latency access to on-premises data from AWS. The connection must be highly available and encrypted. The company has multiple VPCs and on-premises locations. Which combination of services meets these requirements?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A company is migrating a monolithic application to microservices on Amazon ECS. The application needs to communicate with external partners via HTTPS. The company wants to use mTLS for mutual authentication. Which AWS service should be used to handle the mTLS termination?

Question 11mediummultiple choice
Read the full NAT/PAT explanation →

A company is building a serverless data processing pipeline. Data is uploaded to an S3 bucket, which triggers a Lambda function to transform the data and store the result in another S3 bucket. The Lambda function needs to access a VPC-hosted database for enrichment. What is the MOST secure way to allow the Lambda function to access the VPC resources?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a serverless application using AWS Lambda that processes images uploaded to an S3 bucket. The processing time varies but typically completes within 5 minutes. The Lambda function needs to access a VPC-hosted database. What is the BEST way to configure the Lambda function to access the database while minimizing cold start latency?

Question 13easymultiple choice
Read the full NAT/PAT explanation →

A company is designing a new application that will process sensitive financial transactions. The application must be deployed in a VPC with no public internet access. The application needs to send logs to Amazon CloudWatch Logs and store files in Amazon S3. Which set of actions should be taken to meet these requirements without allowing internet access?

Question 14hardmulti select
Read the full NAT/PAT explanation →

A company is designing a new multi-tier web application on AWS. The application consists of a public-facing Application Load Balancer, a fleet of EC2 instances in private subnets, and an RDS database in a private subnet. The security team requires that all traffic between the ALB and EC2 instances be encrypted, and that the EC2 instances have no direct internet access. Which TWO actions should the company take to meet these requirements? (Choose TWO.)

Question 15easymulti select
Read the full NAT/PAT explanation →

A company is designing a new VPC with public and private subnets. The company wants to ensure that instances in the private subnets can download updates from the internet, but cannot be directly accessed from the internet. Which THREE components are required to meet these requirements? (Choose THREE.)

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A company is designing a new microservices architecture using Amazon ECS with Fargate. Each service must be isolated within its own VPC and communicate via AWS PrivateLink. The company expects variable traffic and wants to minimize costs. Which solution meets these requirements?

Question 17easymultiple choice
Read the full NAT/PAT explanation →

A startup wants to deploy a web application on AWS with a serverless architecture. The application includes static content (HTML, CSS, JS) and a REST API backend using Lambda and DynamoDB. The company wants low latency and high availability globally. Which combination of services should they use?

Question 18easymulti select
Read the full NAT/PAT explanation →

A company is hosting a static website on Amazon S3. The website uses JavaScript to make API calls to a backend API hosted on Amazon API Gateway. The company wants to reduce latency for users worldwide. Which combination of AWS services should the solutions architect use? (Choose two.)

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A company is designing a microservices architecture on ECS with Fargate. Services need to communicate securely within a VPC and be accessible from the internet via an Application Load Balancer. The solution must minimize operational overhead. Which networking configuration should be used?

Question 20hardmulti select
Read the full NAT/PAT explanation →

A company is migrating a legacy application to AWS. The application requires static IP addresses for whitelisting by third-party APIs. The company plans to use an Application Load Balancer with EC2 instances. Which two steps should the company take to ensure the ALB has a consistent set of IP addresses? (Choose TWO.)

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused NAT Gateway sessions

Start a NAT Gateway only practice session

Every question in these sessions is drawn from the NAT Gateway domain — nothing else.

Related practice questions

Related SAP-C02 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SAP-C02 exam test about NAT Gateway?
NAT questions usually test how private addresses are translated, when to use static NAT, dynamic NAT or PAT, and how inside/outside interfaces affect traffic flow.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just NAT Gateway questions in a focused session?
Yes — the session launcher on this page draws every question from the NAT Gateway domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SAP-C02 topics?
Use the topic links above to move to related areas, or go back to the SAP-C02 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SAP-C02 exam covers. They are not copied from any real exam or dump site.