What should the solutions architect do to enable Internet access for the private subnets?
Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.
Create three NAT instances, one for each private subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT instance in its AZ.
Create a second internet gateway on one of the private subnets. Update the route table for the private subnets that forward non-VPC traffic to the private internet gateway.
Create an egress-only internet gateway on one of the public subnets. Update the route table for the private subnets that forward non-VPC traffic to the egress-only Internet gateway.
Explanations:
Creating three NAT gateways, one in each AZ, allows instances in private subnets to access the internet for software updates while ensuring high availability. Each NAT gateway should be in a public subnet, and the route tables for the private subnets must direct non-VPC traffic to the respective NAT gateway in the same AZ. This setup prevents direct internet access for instances in private subnets while enabling them to reach the internet indirectly.
While NAT instances can provide internet access for private subnets, they are less scalable and resilient than NAT gateways. Additionally, the design suggests creating NAT instances in the private subnets, which is incorrect because NAT instances must reside in public subnets to route traffic to the internet.
A private subnet cannot have an internet gateway attached to it. Internet gateways can only be associated with public subnets. Attempting to create a second internet gateway for a private subnet will not work, as it violates the AWS VPC design principles.
An egress-only internet gateway is specifically designed for IPv6 traffic and is not applicable for providing internet access for IPv4 private subnets. Instead, NAT gateways or instances should be used to route IPv4 traffic from private subnets to the internet.
If I’m correct, the answer is:
Create three NAT gateways, one for each public subnet in each AZ. Create a private route table for each AZ that forwards non-VPC traffic to the NAT gateway in its AZ.