🌐 Amazon Virtual Private Cloud (VPC) - SAA-C03 Practice Questions

VPC lets you provision a logically isolated section of the AWS Cloud. Understand subnets, route tables, NAT gateways, security groups, NACLs, and VPC peering.

10Questions Available
2Exam Domains

Practice VPC Questions Now

Start a timed practice session focusing on Amazon Virtual Private Cloud (VPC) topics from the SAA-C03 question bank.

Start SAA-C03 Practice Quiz →

How VPC Is Really Tested in SAA-C03

VPC questions are usually troubleshooting or architecture trade-off questions, not pure memorization. The exam expects you to reason through packet flow from source to destination and identify exactly where connectivity fails.

SAA-C03 also tests network decisions tied to security and cost. In many scenarios, the right answer is the one that reduces blast radius and unnecessary data transfer charges while preserving private connectivity.

If a question includes both security groups and NACLs, read carefully: the key is often stateful versus stateless behavior, not just which control exists.

VPC decision trade-offs you need to distinguish quickly

Decision PointOption AOption BExam Takeaway
Traffic filter modelSecurity groups (stateful, instance/ENI-level, allow rules only)Network ACLs (stateless, subnet-level, allow and deny rules)Questions about explicit deny controls or subnet-wide blocks usually point to NACLs.
Private egress strategyNAT gateway for general internet-bound outbound traffic from private subnetsVPC endpoints for private access to supported AWS servicesIf the destination is an AWS service like S3 or DynamoDB, endpoints are typically more secure and cost-efficient.
Multi-VPC connectivity at scaleVPC peering for a small number of direct one-to-one linksTransit Gateway for transitive routing and many VPC attachmentsAs soon as architecture complexity grows, Transit Gateway is usually preferred over peering mesh.

Private application with hybrid connectivity

A company needs private access from on-premises to multiple AWS workloads, plus controlled outbound internet access from private subnets.

  • Centralize multi-VPC routing through Transit Gateway for cleaner topology.
  • Use dedicated route tables and segmentation per environment/account.
  • Prefer VPC endpoints for high-volume AWS service traffic to avoid NAT costs.
  • Keep internet ingress only through controlled public entry points such as ALB.

Common Exam Trap: Routing private subnets to an internet gateway directly is invalid and often appears as a distractor answer.

SAA-C03 VPC Question Bank (10 Questions)

Browse all 10 practice questions covering Amazon Virtual Private Cloud (VPC) for the SAA-C03 certification exam. Answers are intentionally hidden on this page so you can self-test first before checking results in quiz mode.

  1. Question 1Design Secure Architectures

    An application in a private subnet needs to access both S3 and a third-party SaaS service that supports AWS PrivateLink. Traffic must not traverse the public internet. Which VPC endpoint configuration is required?

    ACreate Gateway VPC Endpoints for both S3 and the SaaS service.
    BCreate Interface VPC Endpoints for both S3 and the SaaS service.
    CCreate a Gateway VPC Endpoint for S3 and an Interface VPC Endpoint for the SaaS service.
    DUse a single NAT Gateway with security group restrictions for both services.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  2. Question 2Design Secure Architectures

    A hub-and-spoke network uses Transit Gateway to connect multiple VPCs. The security VPC should access all other VPCs, but production and development VPCs should not communicate with each other. How should route table associations enforce this segmentation?

    AUse a single route table with specific route entries for each VPC.
    BCreate separate route tables: security VPC gets full routing; prod/dev get limited routing excluding each other.
    CConfigure VPC peering connections instead of Transit Gateway.
    DUse security groups to control traffic flow between VPCs.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  3. Question 3Design Secure Architectures

    An application uses a Lambda function to query a legacy database running on an EC2 instance in a private subnet. The database security group allows traffic only from the security group of the Lambda function. The Lambda function is configured to connect to the VPC. However, the Lambda function times out when trying to connect to the database. What is the most likely cause?

    AThe Lambda function execution role lacks the `AWSLambdaVPCAccessExecutionRole` permissions.
    BThe Lambda function needs a NAT Gateway to communicate with the private EC2 instance.
    CThe security group attached to the Lambda function does not allow outbound traffic to the database on the database port.
    DThe Lambda function is running in a public subnet and cannot route to the private subnet.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  4. Question 4Design Secure Architectures

    A healthcare application running in a strict regulatory environment needs to access a third-party SaaS service hosted on AWS. The regulations prohibit traffic from traversing the public internet. The SaaS provider exposes their service via AWS PrivateLink. How should the Architect configure the connection?

    ACreate a VPC Peering connection between the application VPC and the SaaS provider's VPC.
    BCreate a Gateway VPC Endpoint for the SaaS service and update the route table.
    CCreate an Interface VPC Endpoint in the application VPC pointing to the SaaS service name. Security groups must allow HTTPS 443.
    DDeploy a NAT Gateway in the VPC and restrict outbound traffic to the SaaS provider's IP range.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  5. Question 5Design Secure Architectures

    A company wants to reduce NAT Gateway costs for private subnets that require occasional outbound internet access. Which alternative is most cost effective for low-volume egress?

    AReplace NAT Gateways with a NAT instance per AZ and manage high availability manually; or minimize egress via VPC endpoints for AWS services so traffic doesn't traverse NAT Gateways.
    BKeep NAT Gateway always on and scale horizontally.
    CUse Internet Gateway for private subnets.
    DUse S3 Transfer Acceleration.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  6. Question 6Design Secure Architectures

    A Solution Architect is designing a multi-tier application. The application tier runs on EC2 instances in private subnets and needs to download software patches from the internet. However, the security policy mandates that no inbound internet connectivity is allowed to these instances, and the source IP address for outbound traffic must remain static for allow-listing by the software vendor. Which architecture satisfies these requirements?

    ADeploy a NAT Gateway in a private subnet. Route outbound traffic from the application subnet to the NAT Gateway.
    BDeploy a NAT Gateway in a public subnet. Route outbound traffic from the application subnet to the NAT Gateway. Assign an Elastic IP to the NAT Gateway.
    CDeploy an Egress-Only Internet Gateway in the VPC. Update the route table for the private subnets to point to the gateway.
    DUse a Proxy Server on an EC2 instance in a public subnet with a dynamic Public IP address.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  7. Question 7Design Secure Architectures

    A Lambda function in a VPC needs to access both an RDS database in a private subnet and an external API on the internet. Which network configuration allows both connections?

    APlace Lambda in private subnets with a NAT Gateway for internet access.
    BPlace Lambda in public subnets with an Internet Gateway.
    CUse VPC endpoints for both RDS and external API access.
    DConfigure Lambda outside the VPC and use VPC peering for database access.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  8. Question 8Mixed

    A cost optimization review reveals large data transfer charges between Availability Zones for an application using private subnets and NAT gateways in a single zone. How should the solutions architect reduce costs without sacrificing availability?

    ADeploy a NAT gateway in each Availability Zone and update private subnet route tables to use the local NAT gateway.
    BReplace NAT gateways with a single NAT instance.
    CMove all private subnets into one Availability Zone.
    DAllow the instances direct internet access without NAT.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  9. Question 9Design Cost-Optimized Architectures

    An application running in a VPC communicates with an S3 bucket in the same region via the public internet (NAT Gateway). The team notices high data transfer charges. How can these costs be reduced?

    AUse a Gateway VPC Endpoint for S3.
    BUse an Interface VPC Endpoint for S3.
    CEnable S3 Transfer Acceleration.
    DUse Direct Connect.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz
  10. Question 10Design Secure Architectures

    A Lambda function needs to connect to an RDS PostgreSQL database to retrieve customer information. The database is in a private subnet within a VPC. The connection must be secure and private. What is the most secure way to enable this connectivity?

    AMove the RDS database to a public subnet and connect to its public IP address.
    BPlace the Lambda function within the same VPC as the RDS database.
    CUse AWS Secrets Manager to store the database credentials and connect over the internet.
    DCreate a NAT Gateway and route the Lambda function's traffic through it to the database.

    Answer hidden for practice.

    Use the interactive quiz to reveal the correct answer and explanation.

    Start SAA-C03 Quiz

Key VPC Concepts for SAA-C03

vpcsubnetroute tableinternet gatewaynat gatewaynaclsecurity grouppeeringtransit gatewayvpc endpoint

SAA-C03 VPC Exam Tips

Amazon Virtual Private Cloud (VPC) questions in SAA-C03 are typically scenario-based. Focus on architecture trade-offs, resilience, and secure-by-default design choices. Priority concepts: vpc, subnet, route table, internet gateway, nat gateway, nacl.

What SAA-C03 Expects

  • Anchor your answer in choose the most reliable and cost-aware architecture pattern, not just a feature match.
  • VPC scenarios for SAA-C03 are frequently mapped to Domain 1 (30%), Domain 3 (24%), so read the objective carefully before picking controls or architecture.
  • Expect multi-topic scenarios where VPC interacts with IAM, networking, storage, or observability patterns rather than appearing as an isolated question.
  • When two options are both technically valid, prefer the choice that best aligns with the exam's operational scope (Associate) and vendor best practices.

High-Value VPC Concepts

  • Know the core VPC building blocks cold: vpc, subnet, route table, internet gateway.
  • Review the edge-case features and limits for nat gateway, nacl; these details are commonly used to differentiate answer choices.
  • Practice service-integration reasoning: how VPC pairs with EC2, ELB, CloudFront, Route 53 in real deployment patterns.
  • For SAA-C03, explain why the chosen VPC design meets reliability, security, and cost expectations better than the alternatives.

Common SAA-C03 Traps

  • Watch for answers that solve today's issue but do not scale across multiple AZs.
  • Questions in Design Secure Architectures often include distractors that look correct for VPC but violate least-privilege, durability, or availability requirements.
  • Avoid picking options purely by feature name; validate data path, failure handling, and governance impact before answering.
  • If the prompt hints at automation or repeatability, eliminate manual-only operational answers first.

Fast Review Checklist

  • Can you compare at least two VPC implementation paths and justify which one best fits the scenario?
  • Can you map the chosen answer back to Design Secure Architectures (30%) outcomes for SAA-C03?
  • Can you explain security and access boundaries for VPC without relying on default-open assumptions?
  • Can you describe how VPC integrates with EC2 and ELB during failure, scaling, and monitoring events?

Exam Domains Covering VPC

Domain 1Design Secure Architectures30%Domain 3Design High-Performing Architectures24%

Related Resources

🎯 Free SAA-C03 Mock Exam EC2 Questions ELB Questions CloudFront Questions Route 53 Questions

More SAA-C03 Study Resources

← SAA-C03 Study Hub30-Day Study PlanFull Practice Exam