Vpc And Private Network Design — AWS Developer (DVA-C02)
NAT Gateway vs VPC Gateway Endpoint for DynamoDB
Two ways to reach DynamoDB from a private subnet: NAT Gateway charges per GB processed and routes traffic through the public internet endpoint; a VPC Gateway Endpoint charges nothing and routes traffic entirely over the AWS private network. Gateway Endpoints support S3 and DynamoDB only. All other AWS services require Interface Endpoints, which provision an ENI in your subnet and incur an hourly charge plus per-GB data processing fees. Routing table entries must explicitly point the service prefix list to the Gateway Endpoint; without that route entry, traffic still exits through the NAT Gateway.
What This Pattern Tests
The exam describes a network requirement and tests VPC topology decisions. Public subnets have routes to an Internet Gateway. Private subnets route through NAT Gateway for internet access ($0.045/hour + $0.045/GB). VPC Gateway Endpoints provide free private access to S3 and DynamoDB (route table entries). Interface Endpoints (PrivateLink) provide private access to other AWS services and third-party services via ENIs ($0.01/hour per AZ). Security Groups are stateful (allow inbound, return traffic auto-allowed). NACLs are stateless (must explicitly allow both inbound and outbound). The trap is using NAT Gateway for S3 access from private subnets (Gateway Endpoint is free) or confusing Security Group statefulness with NACL statelessness.
Decision Axis
Network isolation requirements determine subnet design. Private access to AWS services: Gateway Endpoint (S3/DynamoDB, free) vs. Interface Endpoint (everything else, paid).
Associated Traps
More Top Traps on This Exam
Decision Rules
Whether account-level separation via AWS Organizations (hard platform-enforced boundary) or intra-account isolation via separate VPCs plus restrictive IAM/SCP controls satisfies the 'unreachable under any misconfiguration' constraint.
Domain Coverage
Difficulty Breakdown