What additional step is required to allow access from the private instances?

You manually launch a NAT AMI in a public subnet. The network is properly configured. Security groups and
network access control lists are property configured. Instances in a private subnet can access the NAT. The

NAT can access the Internet. However, private instances cannot access the Internet. What additional step is
required to allow access from the private instances?

A.
Enable Source/Destination Check on the private Instances.

B.
Enable Source/Destination Check on the NAT instance.

C.
Disable Source/Destination Check on the private instances.

D.
Disable Source/Destination Check on the NAT instance.

Show Hint

← Previous question

Next question →

Leave a Reply 18

Nitin Kansal

D
Disabling Source/Destination Checks

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.

You can disable the SrcDestCheck attribute for a NAT instance that’s either running or stopped using the console or the command line.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

mr_tienvu

Correct answer is B

Martin

Correct answer is D.

fun4two

answer D

Sivakumar Arulmani

wow. This question/answer shows how bad the answer given in the website 🙂

SoftwareEngineer

D is the correct answer.

By default the NAT will perform Source Checks before it forwards the packet it received from EC2 instance out to the Internet and hence Source Checks need to be disabled on the NAT instance.

Reference documentation : http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

correct answer is D, here is very good logical explaination.
https://www.quora.com/Why-do-we-disable-source-destination-checks-on-the-NAT-instance

Sanjeev

B is just opposite answer.

sandeep

Guys. Any idea where we can get AWS SAA dumps ? Few dumps have wrong answer so very hard to decide which one to use. Any help would be much appreciated.