AWS · SOA-C03

Vpc And Private Network Design — AWS SysOps Administrator (SOA-C03)

5%of exam questions (9 of 200)

NAT Gateway and VPC Endpoints Are Not Equivalent Paths

Requirement: EC2 instances in a private subnet must access Amazon S3 without traversing the public internet. Competing options: NAT Gateway vs. S3 Gateway VPC Endpoint. The deciding constraint is traffic path and cost. A NAT Gateway routes traffic through the public endpoint — it works, but incurs data processing charges and introduces public internet exposure. A Gateway Endpoint keeps traffic on the AWS private network at no additional charge. The exam credits the option that satisfies the private-path requirement most directly.

What This Pattern Tests

The exam describes a network requirement and tests VPC topology decisions. Public subnets have routes to an Internet Gateway. Private subnets route through NAT Gateway for internet access ($0.045/hour + $0.045/GB). VPC Gateway Endpoints provide free private access to S3 and DynamoDB (route table entries). Interface Endpoints (PrivateLink) provide private access to other AWS services and third-party services via ENIs ($0.01/hour per AZ). Security Groups are stateful (allow inbound, return traffic auto-allowed). NACLs are stateless (must explicitly allow both inbound and outbound). The trap is using NAT Gateway for S3 access from private subnets (Gateway Endpoint is free) or confusing Security Group statefulness with NACL statelessness.

Decision Axis

Network isolation requirements determine subnet design. Private access to AWS services: Gateway Endpoint (S3/DynamoDB, free) vs. Interface Endpoint (everything else, paid).

Associated Traps

Security Default Assumption (6)S3 buckets block public access by default since 2023 — but the scenario describes a bucket created in 2019.Operational Complexity Underestimation (3)Self-managed Kubernetes on EC2 — a full-time job disguised as a deployment strategy.

More Top Traps on This Exam

Near-Right Architecture · 24%CloudFront + ALB or Global Accelerator + NLB? Both cut latency — only one preserves client IPs over TCP.

Decision Rules

Choose between Transit Gateway hub-and-spoke (transitive, account-spanning, overlap-tolerant per spoke) and full-mesh VPC Peering (non-transitive, O(N²) connections, hard-blocked by any CIDR overlap) as the single connectivity model for a 50-VPC multi-account topology requiring any-to-any routing.

AWS Transit GatewayAmazon VPC PeeringAmazon Virtual Private Cloud

Whether to add a Security Group inbound rule (redundant given stateful tracking already permits return packets) or a NACL outbound rule covering ephemeral ports 1024-65535 (required because NACLs are stateless and do not track connection direction) to resolve the broken TCP session.

Amazon Virtual Private CloudAmazon EC2AWS VPC Flow Logs

Whether the blocking control is the stateless NACL outbound rule table on subnet-B — which requires an explicit allow covering ephemeral ports 1024-65535 for return traffic — versus the stateful Security Group on the subnet-B EC2, which already implicitly permits return traffic the moment the inbound session was accepted, making any SG change unnecessary.

Amazon Virtual Private CloudAmazon EC2AWS VPC Flow Logs

Domain Coverage

Networking and Content Delivery

Difficulty Breakdown

Easy: 3Medium: 3Hard: 3

Build recognition speed →

See all SOA-C03 patterns →