The correct answer is Create public subnets in each Availability Zone. Associate the public subnets with the ALB. Update the route tables for the public subnets with a route to the private subnets.

To allow an internet-facing ALB to route requests to EC2 instances in private subnets, the ALB itself must be deployed in public subnetssubnets that have a route to an internet gateway. The EC2 instances can remain in private subnets, and as long as security group rules and routing allow, the ALB can forward traffic to them. Associating the ALB with public subnets ensures it has a public IP address and can accept traffic from the internet.

Replace the ALB with a Network Load Balancer. Configure a NAT gateway in a public subnet to allow internet traffic is incorrect because a NAT gateway enables outbound internet access from private subnetsit does not allow inbound traffic from the internet. Also, a Network Load Balancer does not inherently resolve this design issue.

Move the EC2 instances to public subnets. Add a rule to the EC2 instances security groups to allow outbound traffic to 0.0.0.0/0 is incorrect because moving EC2 instances to public subnets exposes them directly to the internet, which is not secure or necessary. The goal is to keep them private and expose only the ALB.

Update the route tables for the EC2 instances subnets to send 0.0.0.0/0 traffic through the internet gateway route. Add a rule to the EC2 instances security groups to allow outbound traffic to 0.0.0.0/0 is wrong because private subnets should not route 0.0.0.0/0 directly to the internet gatewaythats what distinguishes them from public subnets. Also, outbound traffic isnt the issue here; the problem is inbound access from the internet.

Why this question matters: It tests knowledge of how AWS subnet types, load balancer placement, and routing work together to enable public access to applications while maintaining secure architecture design patterns.

Tip: Always remember: internet-facing ALBs must be deployed in public subnets. The targets (such as EC2 instances) can be in private subnets, provided routing and security groups allow traffic between the ALB and the instances.

Full AWS Practitioner Certification Question