A solutions architect is designing a VPC with multiple subnets to host EC2 instances and Amazon RDS DB instances. The VPC has six subnets across two Availability Zones: in each AZ there is a public subnet, a private subnet, and a database-dedicated subnet. Only EC2 instances in the private subnets should be able to access the RDS databases. Which solution enforces this requirement?
Choose an answer
Tap an option to check your answer.
Correct answer: Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances..
Why this is the answer
The correct solution is to create a security group that allows inbound traffic from the security group assigned to instances in the private subnets and attach it to the DB instances. Security groups act as virtual firewalls at the instance level, controlling inbound and outbound traffic. By specifying the private subnet's security group as the source for allowed inbound traffic to the RDS security group, you ensure only instances within those private subnets can connect to the databases, fulfilling the requirement. The other options are incorrect because: Route tables control network traffic routing, not instance-level access control. Excluding public subnet CIDR blocks wouldn't prevent access if a route existed through other means. Security groups are stateful and implicitly deny all traffic not explicitly allowed. Creating a security group to deny traffic is less effective and more complex than explicitly allowing the desired traffic. Peering connections are used to connect VPCs, not to control access between subnets within the same VPC.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed