A company is building a multi-tier web application with: web and application servers on Amazon EC2 Auto Scaling groups, and an Amazon RDS DB instance. The solutions architect must restrict access to the application servers so only the web servers can reach them. Which solution meets this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Deploy an Application Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the security group to allow only the web servers to access the application servers..
Why this is the answer
The correct solution uses an Application Load Balancer (ALB) and security groups. An ALB is ideal for HTTP/HTTPS traffic, which is typical for web and application servers, and can distribute requests across the application servers in the Auto Scaling group. Security groups act as virtual firewalls at the instance level. By configuring the application server security group to allow inbound traffic only from the web server security group, you effectively restrict access. Incorrect options: AWS PrivateLink and VPC endpoints are for private connectivity to AWS services or services hosted by other AWS accounts, not for restricting traffic between tiers within the same application. Network ACLs operate at the subnet level and are stateless, making security groups a more granular and stateful choice for instance-level access control. While a Network Load Balancer (NLB) could forward traffic, an ALB is more appropriate for HTTP/HTTPS filtering and routing, and the security group is the primary mechanism for instance-level access control.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed