Certified Security - Specialty

Sign Up Free or Log In to participate!

About Question 10


 I have a small remark about the question 10.

10) "You have configured a new VPC with a private subnet and added a NAT Gateway and configured the subnet route table to route all internet traffic via the NAT Gateway. However when you try to run a yum update, none of your instances are able to reach the internet. What could be the problem?"

i think that a NAT Gateway should be created only in a public subnet! correct me if i’m wrong.

Brannen Taylor

I think you’re right. What are the other choices?

El khadri

i think the simple way is the reformulate the question or just add a new choice that will allow moving the NAT-GTW to public subnet and so on

Jay Garing

A NAT gateway allows instances to establish connections to computers in the internet, but it does not allows the reverse. It does not allow computers on the internet to reach into the subnet and establish a connection.

Jay Garing

Therefore, it’s a good option for a private subnet.

Jeremy T. Bouse

Yes, I questioned this one as well…

Jeremy T. Bouse

The answers to select from 3 of which talk about allowing HTTPS traffic to/from either inbound or outbound and the only answer mentioning Network ACL talks about allowing incoming traffic on ports 80 & 443.

5 Answers

i guess NACL rules  should also be updated to allow access thru NAT Gateway, if not already done.

El khadri

You should first move the NAT gateway to a public subnet and then add a route to the gateway from the private subnet.

NAT Gateway should be on Public subnet and default route( main route) table should be updated with route NAT gateway as target.

In my opinion, nothing is wrong with provided options. This question has intentional complexity. If you rephrase question as

"You have configured a new VPC with a private subnet and added a NAT Gateway (assume everything is in it’s proper place so in public subnet)…"

What else could be wrong? hope you do get it 🙂

Okay so I did a bit deeper logic on this and the given answer does make sense, but only if the Security Group is created taking steps to modify the Outbound rules in the first place. 

As we should all know Security Groups DENY unless explicitly ALLOW traffic. So creating a new Security Group without adding any inbound rules would deny anything inbound but as the answer mentioned Security Groups are stateful.

The problem I have with given answer is thus that by default the outbound policy on a Security Group is to ALLOW "All Traffic" to "" whether created through the console or Cloudformation unless you specifically change it. Quoting from the AWS::EC2::SecurityGroup Cloudformation documention you have:

Remove Default Rule

When you specify a VPC security group, Amazon EC2 creates a default egress rule that allows egress traffic on all ports and IP protocols to any location. The default rule is removed only when you specify one or more egress rules. If you want to remove the default rule and limit egress traffic to just the localhost (, use the following example.

So in order for this situation to even occur you would have had the outbound rules for the Security Group modified to either delete the default rule or create a rule that did not include HTTP/HTTPS or any TCP traffic. That or the instance was launched with the default security group for the VPC which in fact would also be valid as the default security group has no inbound or outbound rules at all.  In the end the question never even tells you about the security group applied to the instances so you’re again left to assume like we are about the NAT-GW being in a public subnet with proper routing through an IGW.

I still don’t understand this question because security groups cannot be attached to NAT Gateways. This question is just fundamentally bad.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?