AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 73

A network architect is designing a website. It has web, application, and database tiers that will run in AWS. The website uses Amazon DynamoDB.
Which architecture will minimize public exposure of the backend instances?

Answer options

• A. A VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
• B. A VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
• C. A VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
• D. A VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.

Correct answer: B

Explanation

Option B is correct because it places the web and application tiers in private subnets, minimizing their exposure to the public internet while allowing secure access to DynamoDB via a VPC endpoint. The other options either expose the application tier or the web tier to public subnets, increasing the risk of unauthorized access to backend instances.