Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in knowing which IP address to specify for a customer gateway behind a NAT device. In production, this is about understanding exactly how AWS expects the public IP to be represented in the customer gateway resource to ensure proper VPN connectivity. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
A company called TechNova operates a hybrid network connecting its on-premises data center to AWS via a Site-to-Site VPN. Their customer gateway device, located in their data center, sits behind a NAT gateway that handles IP masquerading to the public internet.
The TechNova SysOps team is tasked with creating the AWS Customer Gateway resource, which requires specifying the IP address of the on-premises customer gateway device.
The Requirement: #
Determine which IP address should be used when creating the AWS Customer Gateway resource to successfully establish the VPN tunnel through the NAT gateway.
The Options #
- A) The private IP address of the customer gateway device inside the data center
- B) The MAC address of the NAT gateway device in front of the customer gateway
- C) The public IP address assigned directly to the customer gateway device
- D) The public IP address assigned to the NAT gateway device in front of the customer gateway
Google adsense #
leave a comment:
Correct Answer #
D) The public IP address assigned to the NAT gateway device in front of the customer gateway
Quick Insight: The SOA (SysOps) Imperative #
AWS requires the customer gateway resource’s IP to be the public IP address that AWS VPN endpoints connect to. When the on-premises device is behind a NAT gateway, AWS sees the NAT’s public IP, not the device’s private or potentially non-routable IPs. This distinction avoids connectivity failure.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option D
The Winning Logic #
AWS Customer Gateway resources require a public IP that is reachable from the AWS VPN endpoints. When the customer gateway device is behind a NAT gateway, the NAT gateway’s public IP address is what AWS VPN tunnels will connect to. Internally, the customer gateway device has a private IP not directly routable on the internet.
- The customer gateway must present an IP address visible and routable from AWS endpoints.
- NAT translates the private customer gateway IP to its own public IP for outbound connections.
- Therefore, specifying the NAT gateway’s public IP ensures proper VPN tunnel establishment and bi-directional traffic flow.
The Trap (Distractor Analysis) #
-
A) Private IP of the customer gateway device:
Not reachable by AWS over the internet. Leads to unreachable VPN endpoint errors. -
B) MAC address of the NAT gateway:
MAC addresses are link-layer identifiers, irrelevant at the IP routing layer and unsupported in AWS customer gateway specification. -
C) Public IP assigned directly to the customer gateway device:
This would be correct if the device was directly connected to the internet, but in this scenario, the device sits behind a NAT, so no such public IP exists on it.
The Technical Blueprint #
# Example AWS CLI command to create a customer gateway specifying the NAT's public IP
aws ec2 create-customer-gateway \
--bgp-asn 65000 \
--type ipsec.1 \
--public-ip <NAT-Gateway-Public-IP> \
--tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=TechNovaCGW}]'
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact on VPN Connectivity |
|---|---|---|---|
| A | High troubleshooting | Low | VPN tunnels unreachable (private IP) |
| B | N/A (irrelevant) | N/A | Invalid identifier, no connectability |
| C | Low if public IP exists | Medium | Only works if device has public IP directly |
| D | Low | High | Correctly routes VPN through NAT gateway |
Real-World Application (Practitioner Insight) #
Exam Rule #
“For the exam, always specify the public IP address reachable from AWS endpoints when creating a customer gateway.”
Real World #
“In production, many networks place VPN devices behind NAT gateways or firewalls. Remember: AWS Side VPN tunnels terminate on the NAT public IP, not on the internal private IP of the VPN device.”
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the AWS SOA-C02 exam.