Q97 — AWS SAA-C03 Ch.4

Question 97 of 105 | ← Chapter 4

Q292. A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2 Auto Scaling group with public subnets that span multiple Availability Zones. The database tier consists of an Amazon RDS for MySQL DB instance in separate private subnets. The web tier requires access to the database to retrieve product information.The web application is not working as intended. The web application reports that it cannot connect to the database. The database is confirmed to be up and running. All configurations for the network ACLs, security groups, and route tables are still in their default states. What should a solutions architect recommend to fix the application?

Correct Answer: D. Add an inbound rule to the security group of the database tiers RDS instance to allow traffic from the web tier's security group.

Explanation

To fix the issue where the web application deployed in public subnets cannot connect to the RDS DB instance deployed in private subnets, a Solutions Architect should recommend adding an inbound rule to the security group of the database tier's RDS instance to allow traffic from the web tier's security group. Therefore, option D is the correct answer. Option A suggests adding an explicit rule to the private subnet's network ACL to allow traffic from the web tier's EC2 instances. However, network ACLs are stateless, and both inbound and outbound rules need to be updated to enable communication between the web and database tiers. Option B suggests adding a route in the VPC route table to allow traffic between the web tier's EC2 instances and the database tier. However, routes are used for routing traffic between subnets and internet gateways, and not for enabling communication between different security groups. Option C suggests deploying the web tier's EC2 instances and the database tier's RDS instance into two separate VPCs and configuring VPC peering. While VPC peering can enable communication between resources deployed in different VPCs, it is not necessary to solve the problem at hand and adds additional complexity to the architecture. By adding an inbound rule to the security group of the database tier's RDS instance to allow traffic from the web tier's security group, the web tier will be able to communicate with the database tier using the DB instance endpoint. Security groups act as virtual firewalls controlling inbound and outbound traffic at the instance level. By opening the security group associated with the RDS instance to allow inbound traffic from the security group associated with the web tier's Auto Scaling group, communication between the two tiers can be established. This solution meets the requirements stated in the question and is the simplest and most effective way to solve the problem.