The Jeff’s Note (Contextual Hook) #
Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in route table configurations allowing private subnet instances to access the internet without breaking isolation. In production, this is about knowing exactly how to route private subnet traffic through the NAT gateway instead of the internet gateway. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
Acme Energy Co. is running internal business-critical applications inside a private subnet within their AWS VPC (10.0.2.0/24). These instances need to download urgent OS patches from the public internet without exposing them directly to inbound internet traffic.
The VPC already has an internet gateway attached and a NAT gateway deployed in the public subnet (10.0.1.0/24). The public subnet’s route table includes a route directing all internet-bound traffic (0.0.0.0/0) to the internet gateway. Currently, the private subnet’s route table only contains a route for the local VPC CIDR (10.0.0.0/16) to itself.
The requirement is to enable instances in the private subnet to initiate outbound internet connections for patch downloads while ensuring they remain inaccessible from the internet.
The Requirement: #
Which route should be added to the private subnet’s route table to enable the instances to connect to the internet via the NAT gateway and maintain private subnet isolation?
The Options #
- A) 0.0.0.0/0 → Internet Gateway (IGW)
- B) 0.0.0.0/0 → NAT Gateway
- C) 10.0.1.0/24 → Internet Gateway (IGW)
- D) 10.0.1.0/24 → NAT Gateway
Google adsense #
leave a comment:
Correct Answer #
B
Quick Insight: The SysOps Imperative #
- The private subnet’s route table must direct all traffic destined for outside the VPC (0.0.0.0/0) to the NAT gateway, not the internet gateway.
- Internet gateway does not support routing for private subnet outbound traffic directly; it only handles public subnet traffic.
- Ensuring this routing preserves security by allowing outbound internet connectivity without direct inbound access.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option B) 0.0.0.0/0 → NAT Gateway
The Winning Logic #
Because the instances reside in a private subnet with no direct internet access, they cannot route outbound traffic through the internet gateway (IGW), which only serves the public subnet. Instead, their default route for internet-bound traffic must instead point to a NAT gateway in a public subnet, which handles the translation and forwards requests to the IGW on their behalf.
- This preserves security by preventing unsolicited inbound internet traffic.
- The NAT gateway enables outbound connection to the internet (e.g., for patch downloads).
- The private subnet route table must explicitly route 0.0.0.0/0 traffic to the NAT gateway’s ID.
The Trap (Distractor Analysis): #
-
Why not A (0.0.0.0/0 → IGW)?
The IGW is only reachable from public subnet instances with public IPs. Routing private subnet traffic directly to IGW doesn’t work because AWS requires NAT translation for private subnet outbound internet connectivity. -
Why not C (10.0.1.0/24 → IGW)?
Routing only the public subnet CIDR to IGW is incorrect and unnecessary. The private subnet traffic destined for the internet is not within 10.0.1.0/24 and the IGW cannot route that. -
Why not D (10.0.1.0/24 → NAT)?
Routes must cover the full internet space (0.0.0.0/0) and not just the public subnet CIDR. Traffic destined for external IPs is what needs NAT translation, not internal subnet traffic.
The Technical Blueprint #
# Example AWS CLI command to add the correct route:
aws ec2 create-route --route-table-id rtb-abcdef1234567890 --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-0abc123de456fgh78
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | Low (Simple Route) | None | Fails; private subnet doesn’t have IGW path |
| B | Moderate (Requires NAT setup) | Easily automated with CloudFormation or CLI | Correct; enables private subnet internet access securely |
| C | N/A | N/A | Incorrect route, routes only for public subnet CIDR |
| D | N/A | N/A | Incorrect route; CIDR too narrow, not for internet |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick a NAT gateway route (0.0.0.0/0 → NAT) when you see private subnet instances needing outbound internet connectivity for updates or downloads.
Real World #
In production, you might also consider NAT instances if cost constraints exist, or AWS Systems Manager Patch Manager for patch automation without internet-bound traffic.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.