A two-tier architecture has a public subnet for web servers and a database subnet for an Amazon RDS for MySQL DB instance. Web servers in the public subnet must be open to the internet on port 443. The DB instance must be accessible only to the web servers on port 3306. Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443., Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306..
Why this is the answer
The first correct option, "Create a security group for the web servers in the public subnet. Add a rule to allow traffic from 0.0.0.0/0 on port 443," correctly addresses the requirement for web servers to be open to the internet on port 443. Allowing traffic from 0.0.0.0/0 means allowing traffic from any IP address, which is necessary for public internet access. The second correct option, "Create a security group for the DB instance. Add a rule to allow traffic from the web servers’ security group on port 3306," ensures the DB instance is accessible only to the web servers on port 3306. Referencing the web servers' security group is a best practice for tightly coupling access between application tiers, as it dynamically adapts to changes in web server IPs. The incorrect option "Create a network ACL for the public subnet. Add a rule to deny outbound traffic to 0.0.0.0/0 on port 3306" is unnecessary and overly restrictive; security groups handle instance-level traffic filtering, and denying outbound traffic from web servers to the internet on port 3306 doesn't directly address the inbound access requirement for the DB. The option "Create a security group for the DB instance. Add a rule to allow traffic from the public subnet CIDR block on port 3306" is less secure than referencing the web server's security group, as it would allow any instance within the public subnet to access the
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed