I am currently preparing for the AWS SysOps Administrator Associate exam using the study guide book (https://www.amazon.com/dp/1119561558/). In the review question for chapter 8 - Bastion Hosts there are two questions about "Private VPC" which I cannot get my head around:
"2) Which of the following does a bastion host provide to a private VPC?"
- My Answer: Access to the resources in the VPC through a host inside the VPC
- Correct Answer: Access to the resources in the VPC through a host outside the VPC
"15) You have just inherited a new network architecture that has a private VPC with numerous resources within it and a bastion host for administrative access. Which of the following would you do first?"
- My Answer: Remove any Internet gateways on the private VPC.
- Correct Answer: Whitelist any IPs that need to access the bastion host.
As far as I understand it, a typical VPC architecture is to have a public subnet, with an Internet Gateway and the bastion host in it, and a private subnet with neither.
But what exactly is meant with "private VPC" here? If it is a VPC that is not accessible from the outside at all? But how can a bastion host outside the VPC then access it? Or do they really mean a private subnet? But how can a subnet be really private, if it has an Internet Gateway in it? In other courses the IG is defined as exactly the thing that makes a subnet public...
Am I totally misunderstand something conceptually here?