The correct answer is Create a NAT gateway, and place it in a public subnet. Configure the private subnet route table to use the NAT gateway as the default route.

This solution enables instances in private subnets to initiate outbound connections to the internet (for downloads, updates, etc.) while still blocking unsolicited inbound connections. A NAT gateway is a fully managed service by AWS that supports high availability and scalability, and is the preferred approach over NAT instances for most use cases.

Create an internet gateway, and attach it to the VPC. Configure the private subnet route table to use the internet gateway as the default route is incorrect because instances in private subnets cannot use an internet gateway directly unless they also have public IP addresses, which would make them publicly accessible.

Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the NAT instance as the default route is incorrect because NAT instances must reside in public subnets, not private ones. Otherwise, they cannot route traffic to the internet.

Create an internet gateway, and attach it to the VPC. Create a NAT instance, and place it in the same subnet where the EC2 instance is located. Configure the private subnet route table to use the internet gateway as the default route is also incorrect. While it mixes correct and incorrect elements, it still places the NAT instance in the wrong subnet and misconfigures the route table. The internet gateway should not be the default route for private subnets.

Why this question matters: It tests your understanding of how to enable controlled outbound internet access from private subnets while maintaining secure and scalable architecture. Understanding NAT gateways and their placement is fundamental to VPC networking design.

Tip: Private subnets use NAT gateways or NAT instances in a public subnet for outbound internet access. The key is that only the NAT device is connected to the internet gateway, not the private instances themselves.

Full AWS Practitioner Certification Question