AWS Certified Solutions Architect – Associate (SAA-C02) — Question 529

A solutions architect at a company is designing the architecture for a two-tiered web application. The web application is composed of an internet-facing Application
Load Balancer (ALB) that forwards traffic to an Auto Scaling group of Amazon EC2 instances. The EC2 instances must be able to access a database that runs on
Amazon RDS.
The company has requested a defense-in-depth approach to the network layout. The company does not want to rely solely on security groups or network ACLs.
Only the minimum resources that are necessary should be routable from the internet.
Which network design should the solutions architect recommend to meet these requirements?

Answer options

• A. Place the ALB, EC2 instances, and RDS database in private subnets.
• B. Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets.
• C. Place the ALB and EC2 instances in public subnets. Place the RDS database in private subnets.
• D. Place the ALB outside the VPC. Place the EC2 instances and RDS database in private subnets.

Correct answer: B

Explanation

To achieve a defense-in-depth network design, only the public-facing entry point (the ALB) should reside in public subnets to receive external traffic. The backend Amazon EC2 instances and the Amazon RDS database should be isolated in private subnets so they cannot be directly accessed or routed from the internet. Keeping the EC2 instances in private subnets minimizes the attack surface, while an ALB in private subnets or outside the VPC would fail to route public internet traffic.