Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 281 discussion

B A NAT Gateway does something similar, but with two main differences: It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, OS patch, etc) It only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Many of the answers in this site seem to be wrong and the ones voted by users seem to be right. What is the source of answer to this site ? Already the questions are tricky, and placing a wrong answer as the answer, costs our success in the exam.

To maximize security and minimize operational overhead, the solutions architect should deploy a NAT gateway in the public subnets and modify the private subnet route table to direct all internet-bound traffic to the NAT gateway. This approach allows the MySQL cluster to securely retrieve product catalog and pricing information from the third-party provider without exposing the private subnet to the internet. The NAT gateway acts as a transparent proxy for the MySQL cluster and enables traffic to flow in both directions while blocking unsolicited traffic from the internet. C is incorrect because configuring an internet gateway and attaching it to the VPC exposes the private subnet to the internet, which is unnecessary and increases the risk of unauthorized access

Nat gateway is less expensive than Nat instance, and less work. C wrong because you must not allow internet traffic in the private subnet.

It can't be "C" . You just threw all your safeguards for security out the window

A solutions architect's objective is to develop a plan that optimizes security without raising operating costs. A : It does not cause availability risks or bandwidth constraints on your network traffic. There's no additional charge for having an internet gateway in your account. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html

i would go with B

NAT gateway can't satisfy the condition. "~ without raising operating costs" I know B is the best answer among others. "Bastion host" must've been one of A,B,C,D.

B looks great

i see Kenisworld666 said BBBB... I love the way it is stressed. Why would the website with so many references have questions with arguably wrong answer. I go with BBBBBBB too

NAT instance is the best way to get updates or stuff like that from the Internet wt doing the priv-subnet as a public subnet. This happens with option C, where it shouldn't open the priv-sub bc it will be a pub-subnet

I dun understand why the suggested answer is still C for if a "private subnet" route table is to modify with the default route to the IGW, why you still call it a "private subnet", haha. Private Subnet is truly private forbidding any request traffic to be initiated from the public Internet. The Answer must be B to use NAT GW bcos the case does not ask for bastion host function.

BBBBBBBBBBBBBBBBBBBBB

i would say (b) but NAT Gateways cost money and the question states "without increasing operational overhead" so..

It has to be B

BBBBBBBBBBBBBBBBBBBBBBBBBBBBB

Definitely B - NAT Gateway. Refer to this if you are confused why it is in the public subnet - https://serverfault.com/questions/854475/aws-nat-gateway-in-public-subnet-why