AWS Certified Advanced Networking Specialty Practice Exam

What type of AWS resource must be configured to allow instances in a private subnet to access the Internet?

• A. Elastic IP
• B. NAT instance
• C. VPC peering
• D. VPN connection

The correct answer is: NAT instance

To allow instances in a private subnet to access the Internet, a NAT (Network Address Translation) instance must be configured. The NAT instance serves as a bridge between the private subnet and the public Internet, enabling outgoing traffic from those private instances while preventing incoming traffic from the Internet to reach those private instances directly. When a private instance needs to access the Internet, it sends requests to the NAT instance, which then modifies the requests, replacing the private IP address of the instance with its own public IP address before forwarding the request to the Internet. Once the response comes back, the NAT instance translates the address back to the private IP of the instance and forwards the response accordingly. This keeps the private instances secure while still allowing them to access necessary resources and software updates from the Internet. The other choices, while relevant to certain networking scenarios, do not specifically address the requirement for private subnet instances to access the Internet. Elastic IPs are used primarily for public-facing resources. VPC peering allows for private connectivity between two VPCs, and VPN connections facilitate secure connections between a VPC and a remote network or on-premises environment, but neither provides the capability for outbound Internet access like a NAT instance does.