Your organization was looking to download patches onto an existing EC2 instance inside a private subnet in an existing custom VPC. You created a NAT Gateway. However, when you try to download patches from the internet onto the EC2 instance, the connection gets timed out. What could be the reason? (Select TWO)

Answer options:

A.NAT Gateway created in a private subnet without an Internet Gateway.
B.NAT Gateway is created without an Elastic IP Address. 
C.The route table is NOT updated to direct Internet-bound traffic to the NAT gateway.
D.NAT Gateway’s Security Group inbound rules do not allow traffic from EC2 instance.

Answer - A and C
For
Option A, when creating NAT Gateway, there is an option to select a subnet in which NAT Gateway will be created. This must be a public subnet that has a route to the internet through Internet Gateway.
If a private subnet is selected when creating NAT Gateway, it cannot route traffic to the internet, and hence the requests would fail.
 https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/
For Option B, NAT Gateway cannot be created without an elastic IP address. During the creation of NAT Gateway, Elastic IP Allocation ID is a mandatory field without which we cannot proceed to create NAT Gateway. So this option is incorrect.
For Option C, there might be a chance that the route table has not been updated to direct Internet-bound traffic to the NAT gateway.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html#VPCSe curityGroups
For Option D, NAT Gateways does not have security groups.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html#nat- gateway-basics
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
As per AWS documentation,
Instances in Private Subnet Cannot Access internet
Check that the NAT gateway is in the Available state. In the Amazon VPC console, go to the NAT Gateways page and view the status information in the details pane. If the NAT gateway is in a failed state, there may have been an error when created. 
Check that you`ve configured your route tables correctly:
The NAT gateway must be in a public subnet with a routing table that routes internet traffic to an internet gateway. 
Your instance must be in a private subnet with a routing table that routes internet traffic to the NAT gateway.
Check that there are no other route table entries that route all or part of the internet traffic to another device instead of the NAT gateway.
The NAT gateway allows all outbound traffic and traffic received in response to an outbound request (it is therefore stateful).
Reference:
https://aws.amazon.com/premiumsupport/knowledge-center/nat-gateway-vpc-private-subnet/
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html