A Solutions Architect is designing an online shopping application running in a VPC on EC2 Instances behind an Elastic Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application tier must read and write data to a customer-managed database cluster. There should be no access to the database from the Internet. But the cluster must be able to obtain software patches from the Internet. Which VPC design meets these requirements?

Answer options:

A.Create public subnets for the application tier and the database cluster.
B.Create public subnets for the application tier and private subnets for the database cluster.
C.Create public subnets for the application tier and NAT Gateway, and private subnets for the database cluster.
D.Create private subnets for the application tier, and private subnets for the database cluster and NAT Gateway.

Correct Answer – C
The following diagram from AWS Documentation shows the right setup for this scenario: 
We always need to keep NAT gateway on public Subnet only, because it needs to communicate the Internet. 
AWS says that "To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. After you`ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet."
NOTE:
Here the requirement is that "There should be no access to the database from the Internet, but the cluster must be able to obtain software patches from the Internet."
1) There should be no access to the database from the Internet.
To achieve this step, we have to launch the database inside the private subnet.
2) But the cluster must be able to obtain software patches from the Internet.
For this, we have to create NAT Gateway inside the Public Subnet. Because the subnet with the internet gateway attached is known as Public Subnet. Through the NAT Gateway, a database inside the Private subnet can access the internet. Option D is saying that "Use private subnet for NAT gateway".
Option C includes these discussed Points, and thus, it`s a perfect answer.
For more information on this setup, please refer to the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html