Route Tables

5 minutes 5 Questions

Route Tables are used to define routes for the traffic within a VPC, allowing communication between subnets and determining how network traffic is directed between resources. Each subnet within a VPC must be associated with a route table, and the table can have multiple entries with varying rules c…

Guide: Understanding Route Tables in Amazon VPC

What is Route Table in Amazon VPC?

A Route Table in Amazon VPC is a fundamental component which is used to determine where network traffic is directed, based on its destination IP address. Every subnet in a VPC must be associated with a route table; which controls the traffic for that subnet.

Importance of Route Tables in Amazon VPC

Route Tables plays a vital role in the management and control of network traffic flow. With Route tables, you can ensure that traffic is routed correctly to its intended destination. Incorrectly configured route tables can cause traffic loss, unnecessary cost and security issues.

How Route Tables work?

A route table contains a set of rules, called routes, which are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the traffic for that subnet. Route tables contain a default route called the local route, which enables communication within the VPC.

Exam Tips: Answering Questions on Route Tables

When tackling exam questions on Route Tables, remember the following tips:

Understand that every subnet in your VPC is associated with a route table.
Understand the function of a local route in Amazon VPC.
Make sure you're aware of the security implications of correctly configuring your route tables.
Remember that modifications to route tables can cause traffic to be routed in non-intuitive ways - so understanding the impact of changes is key.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

AWS Certified Solutions Architect - Route Tables Example Questions

Test your knowledge of Route Tables

Question 1

A company set two instances in two subnets, Instance A in Subnet A, and Instance B in Subnet B. Instance A is connected to their headquarters via a VPN connection. They want all traffic between Instance B and the Headquarters to pass through Instance A for further inspection and monitoring. Which Route Table configuration is required?

In Subnet B's Route Table, add a route with the on-premises network CIDR as the destination and Instance A's network interface as target. In the main Route Table, add a route with the on-premises network CIDR as the destination and Instance A as the target. Create an additional peering connection between Subnet A and Subnet B. In Subnet B's Route Table, add a route with the on-premises network CIDR as the destination and a Virtual Private Gateway as target.

Correct Answer: In Subnet B's Route Table, add a route with the on-premises network CIDR as the destination and Instance A's network interface as target.

You need to configure Subnet B's Route Table to direct all traffic that is destined for the on-premises network to pass through Instance A's network interface. This will achieve the desired level of inspection and monitoring without making changes to the on-premises network or creating additional network devices or connections.

Question 2

An organization launches temporary Amazon EC2 instances in a dedicated subnet for a batch job. The instances must download updates from the Internet but must not be reachable from the Internet. What route table configuration should the subnet use?

Update the main Route Table to allow internet access for the entire VPC. Add a separate route entry for each Batch Instance, targeting the Internet Gateway. Add a route entry targeting a VPC endpoint for the Batch Instances. In the batch instances' subnet, add a 0.0.0.0/0 route that targets a NAT Gateway in a public subnet which has a route to an Internet Gateway.

Correct Answer: In the batch instances' subnet, add a 0.0.0.0/0 route that targets a NAT Gateway in a public subnet which has a route to an Internet Gateway.

To allow instances to initiate outbound Internet connections without allowing inbound connections from the Internet, place them in a private subnet and route their default traffic (0.0.0.0/0) to a NAT Gateway. The NAT Gateway resides in a public subnet that has a default route to an Internet Gateway. With this setup, instances do not need public IPs and are not directly addressable from the Internet, while the NAT Gateway provides stateful outbound access and return traffic for established connections.

Question 3

An EC2 instance hosts a public website in a VPC. The instance is in a public subnet, has an Elastic IP, and the subnet’s route table already includes a 0.0.0.0/0 route to an Internet Gateway. You need to allow only specific administrator source IP addresses to access the instance via SSH (TCP 22). What change, if any, is required to the subnet’s route table?

Change the main Route Table to allow SSH traffic through the Internet Gateway. Add a route entry targeting the Instance's Elastic IP address and specifying the management SSH port as the destination. Add a route entry targeting the NAT gateway for SSH traffic. No change to the route table; restrict SSH access using the instance’s security group by allowing TCP 22 only from the administrators’ source IPs.

Correct Answer: No change to the route table; restrict SSH access using the instance’s security group by allowing TCP 22 only from the administrators’ source IPs.

When an EC2 instance is already reachable on the internet (public subnet with a 0.0.0.0/0 route to an Internet Gateway and a public/Elastic IP), inbound reachability is established at the routing layer. Route tables do not filter by protocol or port and cannot target an Elastic IP; they simply direct IP prefixes to targets such as an Internet Gateway, NAT gateway, or network interface. To control who can SSH to the instance, use the instance’s security group to allow TCP 22 only from the administrators’ specific source IP addresses. No additional route table entries are required for SSH, and a NAT gateway is not used for inbound connections.

🎓 Unlock Premium Access

AWS Certified Solutions Architect - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
5645 Superior-grade AWS Certified Solutions Architect - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS Certified Solutions Architect: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!

Start Your Free 7-Day Trial