MemberNovember 13, 2022 at 8:34 am
Q: A company hosts its multi-tiered web application on a fleet of Auto Scaling EC2 instances spread across two Availability Zones. The Application Load Balancer is in the public subnets and the Amazon EC2 instances are in the private subnets. After a few weeks of operations, the users are reporting that the web application is not working properly. Upon testing, the Solutions Architect found that the website is accessible and the login is successful. However, when the “find a nearby store” function is clicked on the website, the map loads only about 50% of the time when the page is refreshed. This function involves a third-party RESTful API call to a maps provider. Amazon EC2 NAT instances are used for these outbound API calls.
Which of the following options are the MOST likely reason for this failure and the recommended solution?
A (indicated as incorrect): The option that says: One of the subnets in the VPC has a misconfigured Network ACL that blocks outbound traffic to the third-party provider. Update the network ACL to allow this connection and configure IAM permissions to restrict these changes in the future is incorrect. Network ACLs affect all the subnets associated with it. If there is a misconfigured rule, the other subnets will be affected too, which could result in a 100% failure of requests to the third-party provider.
1) Nowhere is it stated that other subnets use the same NACL. 2) The other AZ should presumably still work, as with the (other) “correct” answer.
MemberDecember 11, 2022 at 9:06 pm
Thanks for the feedback.
Actually, the aim of this particular question is to increase the confusion about NACL in the choices. I still believe that our answer is correct.
1) Nowhere is it stated that other subnets use the same NACL
> Unless stated explicitly in the question, it is safe to assume that NACLs are applied to other subnets as well. NACLs affect the traffic blocking in VPC after all, including inter-subnet communications.
2) The other AZ should presumably still work, as with the (other) “correct” answer.
Yes, the other AZ works, that’s why the question says 50% of the time, the request is successful. This could indicate that the other NAT instances on the other AZ is not working.
This is from AWS documentation.
> For NAT Gateways (not NAT instances – we do not recommend NAT instances anymore), they stay on 1AZ only. Although NAT gateways are scalable and can accommodate the traffic of all Subnets within the VPC across multiple AZ, the NAT gateway is still on 1 single AZ. Therefore, if that AZ on which the NAT Gateway is hosted fails, all your instances in the VPC that uses that NAT gateway will fail to access the internet.
AWS recommends that you have 1 NAT Gateway for each AZ.
“If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.”
Please see this link: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html
Hope this helps.
Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!
Kenneth Samonte @ Tutorials Dojo
Log in to reply.