Home › Forums › AWS › AWS Certified Solutions Architect Professional › Further explanation on the answer
-
12. QUESTION
Category: CSAP – Continuous Improvement for Existing Solutions
A company hosts its multi-tiered web application on a fleet of Auto Scaling EC2 instances spread across two Availability Zones. The Application Load Balancer is in the public subnets and the Amazon EC2 instances are in the private subnets. After a few weeks of operations, the users are reporting that the web application is not working properly. Upon testing, the Solutions Architect found that the website is accessible and the login is successful. However, when the “find a nearby store” function is clicked on the website, the map loads only about 50% of the time when the page is refreshed. This function involves a third-party RESTful API call to a maps provider. Amazon EC2 NAT instances are used for these outbound API calls.
Which of the following options are the MOST likely reason for this failure and the recommended solution?
The option that says: One of the subnets in the VPC has a misconfigured Network ACL that blocks outbound traffic to the third-party provider. Update the network ACL to allow this connection and configure IAM permissions to restrict these changes in the future is incorrect. Network ACLs affect all the subnets associated with it. If there is a misconfigured rule, the other subnets will be affected too, which could result in a 100% failure of requests to the third-party provider.
The explanation for this doesn’t seem correct. We can have separate NACLs for each subnet. And if the NACL associated with one of the public subnets, hosting a NAT instance, blocked traffic to third party, we would see the same error 50% of the time.
-
Hi khawaja,
Thank you for sharing your feedback on this question.
You are correct that we can have separate NACLs for each subnet. However, I think it is safer to assume that NACLs are always associates with all the subnets, unless specified on the question itself. For example, the default VPC and the default subnets have the same NACL associated with it. If the NACL is applied to particular subnets only, I think AWS question will mention that particular detail such as a different association of NACL.
When you create a VPC and you create subnets on it, you usually (though not always) have the NACL associated with those Subnets. You may have different NACL associated with different subnets but those are for special use cases in which I think the question will explicitly state. So for this question scenario, we can assume that the NACL is applied on both subnets, after all, those subnets host the EC2 instances that are on a cluster. So it does not make any sense if both subnets have different NACL.
The aim of this particular question is to emphasize that NAT gateways stay on one AZ only so you need to design for Fault Tolerance (and also to create confusion with NACL).
For NAT Gateways (not NAT instances – AWS does not recommend NAT instances anymore), they stay on 1AZ only. Although NAT gateways are scalable and can accommodate the traffic of all Subnets within the VPC across multiple AZ, the NAT gateway is still on 1 single AZ. Therefore, if that AZ on which the NAT Gateway is hosted fails, all your instances in the VPC that uses that NAT gateway will fail to access the internet.
AWS recommends that you have 1 NAT Gateway for each AZ.
“If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.”
Please see this link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
-
I don’t feel like the assumption that both subnets will be using the same subnet is a fair one. May be there should be a hint in the question to suggest that.
Also i don’t think this question is checking knowledge on having NAT gateway in multiple availability zones.
-
Log in to reply.