NAT ErrorPortAllocation wrong answer

[amirasyraf]

Category: ANS – Network Design

An organization has an online customer portal running on a fleet of Amazon EC2 instances hosted in a single private subnet. The portal connects to a 3rd party API, which is available through a public HTTPS endpoint, to fetch the latest customer data. A NAT Gateway has been integrated to the VPC to allow the private instances to connect to the HTTPS endpoint over the public Internet. Amazon CloudWatch metrics are also configured to properly monitor the application and network performance. The Network team noticed that the new outgoing connections are starting to fail and at the same time, the ErrorPortAllocation metric in Amazon CloudWatch for the NAT gateway is also increasing at a steady rate.

Which of the following is the MOST suitable solution that the team should implement to further improve data connectivity?

A. Associate another Elastic IP address to the NAT gateway.

B. Create a NAT gateway in each Availability Zone, and then distribute your clients across multiple Availability Zones. Route traffic to the public Internet using a NAT gateway in the same Availability Zone as your client to reduce cross Availability Zone data charges.

C. Enable the HTTP keep-alive option for the EC2 instances and set it to 3600.

D. Disable the HTTP keep-alive option for the EC2 instances.

=====

It says the correct answer is B. Why? The instances are in a single subnet, hence single AZ. NAT gateway in multiple AZs would be a waste.

Plus, the answer says that answer A is wrong because “it’s not possible to attach a secondary Elastic IP address to a NAT Gateway.” – This is not false, the documentation which is linked in the question says exactly that you can: “Associate secondary IPv4 addresses
to increase the number of available ports and increase the limit of
concurrent connections that your workloads can establish. A maximum of
eight IPv4 addresses can be associated to your NAT gateways (1 primary
IPv4 address and 7 secondary IPv4 addresses).”

[amirasyraf]

Semi-related, I think the practice exam needs a button/link that allows users to report flawed questions/answers. There’s currently no easy way to report it.

[Irene-TutorialsDojo]

Hello amirasyraf,

Thank you for reaching out and for carefully reviewing the question and its explanation. You are correct that AWS now allows you to associate up to 8 IP addresses (including Elastic IPs) with a NAT Gateway. This feature, introduced in 2023, increases the number of available ports by approximately 55,000 per IP and is indeed a valid method for resolving ErrorPortAllocation issues. The original explanation stating that additional Elastic IPs cannot be attached is outdated and will be updated to reflect the latest AWS documentation.

That said, the reason Option B (Create a NAT gateway in each Availability Zone…) remains the correct answer in this practice question is because it follows AWS’s best practice guidance for scalability, availability, and fault tolerance. Even if your current environment resides in a single AZ, deploying NAT Gateways across multiple AZs ensures resiliency against AZ failures, distributes traffic more effectively, and reduces cross-AZ data charges. While Option A (adding more Elastic IPs) is a valid short-term solution in real-world scenarios, the exam is testing for the design that meets both scalability and resiliency requirements, which is why Option B is the best choice in this context.

If you have further questions or need additional clarification, please don’t hesitate to contact us.

Best,

Irene @ Tutorials Dojo