What additional step is required to allow access from t…

You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and
network access control lists are property configured. Instances in a private subnet can access the NAT. The
NAT can access the Internet. However, private instances cannot access the Internet. What additional step is
required to allow access from the private instances?

You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and
network access control lists are property configured. Instances in a private subnet can access the NAT. The
NAT can access the Internet. However, private instances cannot access the Internet. What additional step is
required to allow access from the private instances?

A.
Enable Source/Destination Check on the private Instances.

B.
Enable Source/Destination Check on the NAT instance.

C.
Disable Source/Destination Check on the private instances.

D.
Disable Source/Destination Check on the NAT instance.



Leave a Reply 5

Your email address will not be published. Required fields are marked *


uri

uri

B is wrong .
D is the right answer.

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.

Baibhav Vishal

Baibhav Vishal

D
Key Point Here. We have launched NAT Instance, not NAT Gateway.

Since NAT instance, at backend uses Ec2; and EC2 by default mandates to either be src/dest for internet packets. So here, we have to disable it.
All this problem of self managing the NAT instance goes away, if we use the NAT gateway instead.