Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional I think this question about NAT instances/Gateways marks the wrong answer Reply To: I think this question about NAT instances/Gateways marks the wrong answer

  • Kenneth-Samonte-Tutorials-Dojo

    March 23, 2021 at 10:03 pm

    Hello Jonathan,

    Thank you for your feedback and for sharing your thoughts on this question.

    Actually, I updated this particular question to increase the confusion for NACL choices. I still believe that our answer is correct. Let me explain.

    “It’s highly unlikely that this company is running multiple NAT instances manually. The overwhelming majority of VPCs with NAT Instances use a uniform route table that all point to the same NAT IP and thus can just use one route table for all private subnets. When you run multiple NATs (or multiple NAT Gateways for that matter), you need separate route tables depending on which AZ you’re in, which increases complexity.”

    > For NAT Gateways (not NAT instances – we do not recommend NAT instances anymore), they stay on 1AZ only. Although NAT gateways are scalable and can accommodate the traffic of all Subnets within the VPC across multiple AZ, the NAT gateway is still on 1 single AZ. Therefore, if that AZ on which the NAT Gateway is hosted fails, all your instances in the VPC that use that NAT gateway will fail to access the internet.

    AWS recommends that you have 1 NAT Gateway for each AZ.

    “If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.”

    Please see this link:

    The answer: “One of the subnets in the VPC has a misconfigured Network ACL that blocks outbound traffic to the third-party provider.” is incorrect because Network ACLs affect all the subnets associated with it in the VPC. If there is a misconfigured rule on the NACL, then other subnets will be affected too, which could result in a 100% failure of requests to the third-party provider.

    Hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam!


    Kenneth Samonte @ Tutorials Dojo