Home › Forums › AWS › AWS Certified Solutions Architect Professional › I think this question about NAT instances/Gateways marks the wrong answer
Tagged: NACL, NAT, Networking
-
I think this question about NAT instances/Gateways marks the wrong answer
jonathan-crane updated 2 years, 8 months ago 2 Members · 5 Posts -
The question is this one:
“
A company hosts its multi-tiered web application on a fleet of Auto Scaling EC2 instances spread across two Availability Zones. The Application Load Balancer is in the public subnets and the Amazon EC2 instances are in the private subnets. After a few weeks of operations, the users are reporting that the web application is not working properly. Upon testing, the Solutions Architect found that the website is accessible and the login is successful. However, when the “find a nearby store” function is clicked on the website, the map loads only about 50% of the time when the page is refreshed. This function involves a third-party RESTful API call to a maps provider. Amazon EC2 NAT instances are used for these outbound API calls.
Which of the following options are the MOST likely reason for this failure and the recommended solution?”
TD’s right answer: ” This error is caused by failed NAT instance in one of the public subnets. Use NAT Gateways instead of EC2 NAT instances to ensure availability and scalability.”
My right answer: ” One of the subnets in the VPC has a misconfigured Network ACL that blocks outbound traffic to the third-party provider. Update the network ACL to allow this connection and configure IAM permissions to restrict these changes in the future.”
Here’s why:
It’s highly unlikely that this company is running multiple NAT instances manually. The overwhelming majority of VPCs with NAT Instances use a uniform route table that all point 0.0.0.0/0 to the same NAT IP and thus can just use one route table for all private subnets. When you run multiple NATs (or multiple NAT Gateways for that matter), you need separate route tables depending on which AZ you’re in, which increases complexity.
Secondly, the AWS SA Pro exam traditionally checks your understanding of NACLs, route tables, SGs, etc. While it’s also unlikely that a company manages many different NACLs because it’s a pain in the ass, AWS does like to check that you know you can do that.
Finally, you’re being internally inconsistent because you’re saying it’s likely that a company is going to the extra effort of using separate route tables for each subnet for routing to NATs, but UNlikely that they are using different NACLs for different subnets due to complexity.
Therefore I think it’s more likely that the answer AWS is looking for is the NACL one. Thank you.
-
Hello Jonathan,
Thank you for your feedback and for sharing your thoughts on this question.
Actually, I updated this particular question to increase the confusion for NACL choices. I still believe that our answer is correct. Let me explain.
“It’s highly unlikely that this company is running multiple NAT instances manually. The overwhelming majority of VPCs with NAT Instances use a uniform route table that all point 0.0.0.0/0 to the same NAT IP and thus can just use one route table for all private subnets. When you run multiple NATs (or multiple NAT Gateways for that matter), you need separate route tables depending on which AZ you’re in, which increases complexity.”
> For NAT Gateways (not NAT instances – we do not recommend NAT instances anymore), they stay on 1AZ only. Although NAT gateways are scalable and can accommodate the traffic of all Subnets within the VPC across multiple AZ, the NAT gateway is still on 1 single AZ. Therefore, if that AZ on which the NAT Gateway is hosted fails, all your instances in the VPC that use that NAT gateway will fail to access the internet.
AWS recommends that you have 1 NAT Gateway for each AZ.
“If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.”
Please see this link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
The answer: “One of the subnets in the VPC has a misconfigured Network ACL that blocks outbound traffic to the third-party provider.” is incorrect because Network ACLs affect all the subnets associated with it in the VPC. If there is a misconfigured rule on the NACL, then other subnets will be affected too, which could result in a 100% failure of requests to the third-party provider.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
-
Yes but your reply to whether the NACL question is wrong is itself wrong.
You can have many NACLs and many route tables. Just because one NACL is wrong doesn’t mean that NACL is applied to all subnets.
-
Hello Jonathan,
Thank you for your reply.
You can have many NACLs and many route tables. Just because one NACL is wrong doesn’t mean that NACL is applied to all subnets.
>> Yes, but I think by default it is safer to assume that the NACL is applied to all subnets in the VPC if nothing is stated in the question. If the NACL is applied to particular subnets only, I think AWS questions will mention that particular detail.
The default VPC which has 3 default subnets has the NACL applied to all subnets. This is a Professional level question and I believe we have to make implied judgments or assumptions that are not explicitly specified. As for NACLs, I assume they are applied to all subnets in the VPC unless otherwise specified in the question.
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Regards,
Kenneth Samonte @ Tutorials Dojo
-
“Yes, but I think by default it is safer to assume that the NACL
is applied to all subnets in the VPC if nothing is stated in the
question.”I don’t think it’s safe to assume ANYTHING that isn’t explicitly stated in the question.
Log in to reply.