Jeff’s Note #
Unlike generic exam dumps, ADH analyzes this scenario through the lens of a Real-World Site Reliability Engineer (SRE).
For SOA-C02 candidates, the confusion often lies in understanding which subnet’s route table must point to a NAT gateway for private subnet internet access. In production, this is about knowing exactly how NAT gateways work with routing tables and subnet design to enable outbound internet connectivity securely without exposing private instances. Let’s drill down.
The Certification Drill (Simulated Question) #
Scenario #
CloudOps Inc., a global SaaS company, has recently created a new VPC environment to support their backend services. The VPC contains two subnets: one public subnet connected directly to the Internet Gateway and another private subnet hosting application EC2 instances. The company’s SRE team notices that EC2 instances launched in the private subnet cannot access the internet for software updates and external API calls. The default network ACLs are active on both subnets, and all security groups allow all outbound traffic. The team suspects the issue is related to how traffic routing is configured.
The Requirement: #
Provide the most effective solution that enables the EC2 instances in the private subnet to access the internet, while following AWS best practices for secured networking.
The Options #
- A) Create a NAT gateway in the public subnet. Add a route in the private subnet’s route table pointing to the NAT gateway.
- B) Create a NAT gateway in the public subnet. Add a route in the public subnet’s route table pointing to the NAT gateway.
- C) Create a NAT gateway in the private subnet. Add a route in the public subnet’s route table pointing to the NAT gateway.
- D) Create a NAT gateway in the private subnet. Add a route in the private subnet’s route table pointing to the NAT gateway.
Google adsense #
leave a comment:
Correct Answer #
A
Quick Insight: The SOA-C02 Imperative #
The key to understanding VPC internet access is remembering NAT gateways must be deployed in a public subnet and only private subnets route outbound traffic through the NAT gateway to gain internet access. Public subnets use the Internet Gateway (IGW) directly, so routing a NAT gateway in the public subnet’s route table is unnecessary and incorrect.
Content Locked: The Expert Analysis #
You’ve identified the answer. But do you know the implementation details that separate a Junior from a Senior?
The Expert’s Analysis #
Correct Answer #
Option A
The Winning Logic #
The NAT gateway must reside in the public subnet because it needs direct internet access via the Internet Gateway (IGW). Then, the private subnet’s route table must have a route directing all internet-bound traffic (0.0.0.0/0) to that NAT gateway. This setup allows instances in the private subnet to initiate outbound internet connections while remaining inaccessible from the internet.
- Since default Network ACLs are stateless but allow outbound traffic, and security groups allow outbound traffic, the missing piece is proper routing pointing from the private subnet to the NAT gateway.
- The NAT gateway provides network address translation to forward traffic securely to the IGW.
The Trap (Distractor Analysis) #
- Option B: Routes in the public subnet to the NAT gateway are unnecessary and incorrect because instances in the public subnet already access the internet via the Internet Gateway directly.
- Option C & D: NAT gateways cannot be created in private subnets since they require a public IP to function. Placing the NAT gateway in a private subnet means it has no route to the internet.
- Option D: Even if a private subnet route points to a NAT gateway in the private subnet, this is invalid because the NAT gateway itself wouldn’t have internet connectivity.
The Technical Blueprint #
# Example CLI commands to create and associate a NAT gateway and update route table
# Step 1: Create NAT Gateway in Public Subnet (must have an Elastic IP)
aws ec2 allocate-address --domain vpc
aws ec2 create-nat-gateway --subnet-id subnet-public123 --allocation-id eipalloc-abc123
# Step 2: Update Route Table associated with Private Subnet
aws ec2 create-route --route-table-id rtb-private456 --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-0abc123def456
The Comparative Analysis #
| Option | Operational Overhead | Automation Level | Impact |
|---|---|---|---|
| A | Medium - Deploy NAT + Update route tables | Easy to automate via CLI/CloudFormation | Correct routing enables outbound internet from private subnet |
| B | Misconfigured - redundant route | No benefit | Public subnet does not need NAT |
| C | Invalid - NAT in private subnet | Cannot automate | NAT gateway non-functional |
| D | Invalid - NAT in private subnet | Cannot automate | No internet access possible |
Real-World Application (Practitioner Insight) #
Exam Rule #
For the exam, always pick NAT gateways in public subnets when you see private subnets requiring outbound internet access.
Real World #
In reality, companies often use PrivateLink or VPC Endpoints for controlled internet access to AWS services, reducing NAT gateway costs and complexity but NAT gateways remain essential for general internet access.
(CTA) Stop Guessing, Start Mastering #
Disclaimer
This is a study note based on simulated scenarios for the SOA-C02 exam.