Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 472 discussion

B) CORRECT NAT gateways are solution when you want EC2 instances to gain outbound internet access from the private subnets

Ans: D because there should not be any access to EC2 from internet even it has public IP address.

"payment provider must expressly permit access to the public IP address of the server making the payment request" That makes me think that the server needs to directly talk to the payment provider, but maybe NAT gateway is what they are looking for if you just need connectivity to the payment provider without directly accessing the internet.

B is wrong! the remote server will still have to route back over the internet to give a reply to the payment requester!! That means it needs access to internet. The only way to make it private is by using a VPN and route the traffic using private IP addresses. D is the correct answer!!

Not C why? Cos ALB even though it is in the public subnet CANNOT source traffic on behalf of ec2 towards the Internet. It is a receive only end point for connection into the ALB. Client VPN is also not valid as it requires the far end system to have a VPN/SSL server.

Key: ec2 instances in pvt subnet while 3rd party needs access to the ip which is sending the request Expectations: ec2 instances should not be exposed Distractors: A/C/D A is wrong as it talks about public ip of an instnace launched in pvt subnet C is a distractor, as there is no need for ALB, quesiton doens't ask for HA also pvt subnet ec2 instances cannot talk directly to alb D is wrong for smae reasons. B is the only way pvt subnets can send requests to outer world

https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/

The dependent batch jobs will wait for its dependency to complete before beginning its execution. These dependencies can be direct (from the same Sequence of jobs) or indirect (from the same workflow but a different sequence of jobs), please see Figure 4:- Job Execution HLD version 2.0. The outcome of the execution result of the dependency job will have the following impact on the dependent job

1) Not A bcos having EIP on any PrivateSubnet EC2 server will not allow any outbound initiated traffic to the internet due to the route table of any PrivateSubnet will have no default target route to the IGW. To solve that, the EC2 must be in the PublicSubnet instead. 2) Not C bcos ALB is to expose an App Endpoint to the 3rd party payment provider to initiate inbound traffic flow into the VPC, not the other way round. 3) Not D bcos Question never ask for secure link encryption and never state the 3rd party payment provider is providing the VPN GW for the ecommerce firm to VPN in. Moreover, the company's security regulations will block such VPN client request from any internal server EC2 to the public internet.

Answer is C https://aws.amazon.com/premiumsupport/knowledge-center/public-load-balancer-private-ec2/ Why not B: When you create a NAT gateway, you specify one of the following connectivity types: Public – (Default) Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html

B "You create a public NAT gateway in a public subnet and must associate an elastic IP address with the NAT gateway at creation. You route traffic from the NAT gateway to the internet gateway for the VPC. " We can provide this elastic IP to the payment service.

B. NAT GW in the public subnet.

Answer C. The NAT gateways are only used to get inbound connection from the Internet like software updates to the Windows / Linux machines In that case C is supposed to be the answer

B) NAT Gateway

B) is the way to go

Thinking its C