Internet Gateway

Correct Answer: Check if the Internet Gateway is attached to the VPC

For any resource in a public subnet to be reachable from the internet, the VPC must have an Internet Gateway (IGW) attached. The IGW provides a target for the subnet route table's default route (0.0.0.0/0) so that inbound and outbound internet traffic can traverse the VPC edge. Without an attached IGW, no amount of security group, NACL, or instance-level configuration will make the application reachable from the internet. A NAT gateway is for outbound-only internet access from private subnets, and VPC peering does not provide internet connectivity. While security group rules also need to allow inbound traffic, the question asks for the first VPC-level check, which is confirming the IGW is attached.

Correct Answer: Create a VPC without attaching an Internet Gateway

Not attaching an Internet Gateway (and not adding an egress-only Internet Gateway) ensures there is no route to or from the public internet for either IPv4 or IPv6. This design-level control prevents both inbound and outbound internet connectivity by default while still allowing private connectivity to AWS services via VPC endpoints. A NAT Gateway is intended for outbound internet access and in practice requires an Internet Gateway, so it is inappropriate for a no-internet VPC. Attaching an Internet Gateway and then relying on security groups or network ACLs to deny traffic is error-prone and can be inadvertently changed. There is no single "disable default VPC routing" feature in AWS; routing is controlled via route tables.

Correct Answer: Private subnet instances need NAT Gateway for internet access

Private subnet instances cannot access the Internet directly through the Internet Gateway. You need a NAT Gateway in the public subnet to enable internet access for instances in the private subnet.