A company launched Linux application instances on Amazon EC2 in a private subnet and a Linux bastion host on an EC2 instance in a public subnet. A solutions architect must enable connections from the on-premises network (via the company internet connection) to the bastion host and then to the application servers. The security groups on all EC2 instances must allow this access. Which combination of steps should the solutions architect take? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company., Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host..
Why this is the answer
The bastion host needs to be accessible from the on-premises network. Therefore, its security group must allow inbound access from the company's external IP range (the IP address seen by the internet). The application instances are in a private subnet and should only be accessible via the bastion host. Their security group must allow inbound SSH access from the bastion host's private IP address, as communication within the VPC uses private IPs. Allowing inbound access from the application instances to the bastion host is incorrect; the flow is from on-premises to bastion, then bastion to application. Allowing inbound access from the public IP of the bastion host to the application instances is also incorrect because internal VPC communication uses private IPs.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed