What should the solutions architect do to resolve this issue?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A solutions architect creates a VPC that includes two public subnets and two private subnets.A corporate security mandate requires the solutions architect to launch all Amazon EC2 instances in a private subnet.However, when the solutions architect launches an EC2 instance that runs a web server on ports 80 and 443 in a private subnet, no external internet traffic can connect to the server.

What should the solutions architect do to resolve this issue?

Attach the EC2 instance to an Auto Scaling group in a private subnet. Ensure that the DNS record for the website resolves to the Auto Scaling group identifier.

Provision an internet-facing Application Load Balancer (ALB) in a public subnet. Add the EC2 instance to the target group that is associated with the ALEnsure that the DNS record for the website resolves to the ALB.

Launch a NAT gateway in a private subnet. Update the route table for the private subnets to add a default route to the NAT gateway. Attach a public Elastic IP address to the NAT gateway.

Ensure that the security group that is attached to the EC2 instance allows HTTP traffic on port 80 and HTTPS traffic on port 443. Ensure that the DNS record for the website resolves to the public IP address of the EC2 instance.

Explanations:

Launching an EC2 instance in a private subnet does not automatically expose it to the internet. Attaching the EC2 instance to an Auto Scaling group does not solve the problem of external internet access.

An internet-facing Application Load Balancer (ALB) in a public subnet can route traffic from the internet to the EC2 instance in a private subnet. The EC2 instance would not have a direct public IP, but the ALB will act as the entry point for web traffic.

A NAT gateway allows outbound internet access for resources in private subnets but does not provide inbound internet traffic to EC2 instances in private subnets. It’s primarily for allowing private instances to reach the internet, not for serving incoming web traffic.

The EC2 instance is in a private subnet, so it does not have a public IP address, and thus cannot be accessed directly from the internet. Even if the security group allows HTTP and HTTPS traffic, the instance itself needs a public-facing component like an ALB to route external traffic.

2025-10-22

1 Comment

  1. Kathryn
    Author

    I scheme that the answer is:
    Provision an internet-facing Application Load Balancer (ALB) in a public subnet. Add the EC2 instance to the target group that is associated with the ALEnsure that the DNS record for the website resolves to the ALB.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 8 =