AWS Certified Solutions Architect - Professional 2020

Sign Up Free or Log In to participate!

Networking Quiz – NAT Gateway vs NAT Instance

Hey,

The answer set for the question "What are some reasons you might want to use a NAT Instance over a NAT Gateway? (Choose 3)" is incorrect.

The options are:

You only need to provide NAT for one or two machines.

You want to support IPv6 traffic.

You want the ability to detach your Elastic IP.

You want to allow public Internet initiated connections to your private instances.

You want to use security groups.

The answer "You want to allow public Internet initiated connections to your private instances" is marked as incorrect, however it is a more correct answer than "You only need to provide NAT for one or two machines".

While a NAT Instance may be a good option for a small number of instances, you can still use a NAT Gateway in that situation. However if you want to allow internet initiated connections to your private instances (Port Forwarding), you must use a NAT Instance.

Details here: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

Ian Packer

I think this is ambiguous. Surely whilst you may configure a NAT instance to forward Internet initiated connection to instances with only private addresses this seems counter-intuitive. Why would you do that unless as a hack? Surely you’d just make the target instance public? The usual intention with NAT instances is for outbound access. Anything else is surely a highly custom networking requirement?

2 Answers

Hi Ryan,

Yes, I agree.  The quiz question is incorrect….I just pushed an update.

–Scott

rahul.panicker86

Hi Scott regarding this question How would an Internet initiated Connection be able to reach to an instance with just a private ip through a NAT Instance. I thought for an instance with a private ip to receive an inbound request it should be behind an Internet Facing Load Balancer. However this question seems to confuse me further with NAT instance being a way for it to receive inbound. Can you kindly explain on this further

Now you changed it to "You want to deny public internet initiated connections to your private instances."

How is different when you use a NAT GW ?

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?