Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Lead Developer.
For DVA-C02 candidates, the confusion often lies in understanding how Lambda functions interact with VPC networking. In production, this is about knowing exactly how outbound internet traffic is routed from private subnets and the role of NAT gateways versus Internet gateways for Lambda. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
DataPulse Solutions is building a serverless data aggregator using AWS Lambda to pull and consolidate real-time stock market data from multiple public APIs. To enforce stricter security controls, the lead developer recently updated the Lambda function’s VPC configuration to run inside a private subnet of their VPC. The VPC has an attached Internet Gateway and uses default security groups and network ACLs.
After this change, the Lambda function can no longer retrieve data from the public APIs, even though the APIs are confirmed accessible externally.
The Requirement: #
Identify the correct network configuration adjustment to allow the Lambda function in the private subnet to regain internet access while preserving security best practices.
The Options #
- A) Ensure that the network ACL allows outbound traffic to the public internet.
- B) Ensure that the security group allows outbound traffic to the public internet.
- C) Ensure that outbound traffic from the private subnet is routed to a public NAT gateway.
- D) Ensure that outbound traffic from the private subnet is routed to a new internet gateway.
Google adsense #
leave a comment:
Correct Answer #
C
Quick Insight: The Developer Imperative #
When Lambda functions are placed inside a private subnet, they lose direct internet connectivity—even if the VPC has an Internet Gateway attached. This is because private subnets typically have no route to the Internet Gateway for outbound traffic.
You must route outbound traffic through a NAT gateway (placed in a public subnet) to enable access to public APIs. Simply attaching an Internet Gateway to the VPC or modifying security groups or network ACLs is insufficient.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option C
The Winning Logic #
When you place a Lambda function inside a private subnet, it no longer has a default route to the Internet Gateway because private subnets’ route tables do not send traffic directly to an IGW. Most importantly:
- Private subnets cannot directly send outbound traffic to the Internet Gateway. The Internet Gateway only routes traffic from public subnets with the appropriate route table.
- To enable internet access, outbound traffic must be routed through a NAT Gateway in a public subnet.
- The NAT Gateway, which has a public IP and is attached to the IGW, performs network address translation and allows traffic initiated from the private subnet to reach the public internet (e.g., the public APIs).
- Security groups and network ACLs by default allow outbound traffic anyway, so adjusting them is less frequently the culprit in this scenario.
- Routing private subnet traffic directly to an IGW (Option D) is invalid — private subnets cannot use an IGW as a next hop.
Therefore, configuring the route table of the Lambda’s private subnet to route 0.0.0.0/0 traffic to a NAT Gateway in a public subnet restores the Lambda’s internet connectivity without compromising VPC security.
The Trap (Distractor Analysis): #
- Why not A? The default network ACLs are stateless but allow all outbound traffic by default. Blocking here is unlikely unless customized. Not the primary issue.
- Why not B? Security groups attached to Lambda functions allow all outbound by default. Unless specifically locked down, this is not the cause.
- Why not D? Private subnets’ traffic cannot be routed to an Internet Gateway directly; that is reserved for public subnets and will break routing.
The Technical Blueprint #
# Example CLI command to create a NAT Gateway and update route table:
# 1. Allocate an Elastic IP for NAT Gateway
aws ec2 allocate-address --domain vpc
# 2. Create NAT Gateway in public subnet (provide SubnetId and AllocationId)
aws ec2 create-nat-gateway --subnet-id subnet-public123 --allocation-id eipalloc-abc123
# 3. Update route table of private subnet to route 0.0.0.0/0 to NAT Gateway
aws ec2 create-route --route-table-id rtb-private123 --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-0123456789abcdef0
The Comparative Analysis #
| Option | API/Config Focus | Use Case | Outcome |
|---|---|---|---|
| A | Network ACL rules | Control subnet-level traffic filtering | Usually default allows; unlikely cause |
| B | Security Group outbound rules | Function outbound permissions | Allowed by default; rarely the issue |
| C | Route table + NAT Gateway | Needed for private subnet internet egress | Correct solution enabling public API access |
| D | Route table + Internet Gateway | Invalid for private subnet routing | Breaks routing, no internet connectivity |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick NAT Gateway when you see “Lambda in private subnet needs internet access.”
Real World #
In reality, some teams might use VPC endpoints (AWS PrivateLink) to access AWS public services without internet, but for third-party public APIs, a NAT Gateway remains the standard best practice.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS DVA-C02 exam.