AWS Certified Solutions Architect – Associate (SAA-C02) — Question 724

A company runs a web application on Amazon EC2 instances in multiple Availability Zones. The EC2 instances are in private subnets. A solutions architect implements an internet-facing Application Load Balancer (ALB) and specifies the EC2 instances as the target group. However, the internet traffic is not reaching the EC2 instances.
How should the solutions architect reconfigure the architecture to resolve this issue?

Answer options

• A. Replace the ALB with a Network Load Balancer. Configure a NAT gateway in a public subnet to allow internet traffic.
• B. Move the EC2 instances to public subnets. Add a rule to the EC2 instances' security groups to allow outbound traffic to 0.0 0 0/0.
• C. Update the route tables for the EC2 instances' subnets to send 0.0.0 0/0 traffic through the Internet gateway route. Add a rule to the EC2 instances' security groups to allow outbound traffic to 0 0.0.0/0.
• D. Create public subnets in each Availability Zone. Associate the public subnets with the ALB. Update the route tables for the public subnets with a route to the private subnets.

Correct answer: D

Explanation

To accept traffic from the public internet, an internet-facing Application Load Balancer (ALB) must be deployed in public subnets (which have routes to an Internet gateway) across each Availability Zone. The target EC2 instances themselves should remain in private subnets for security, as the ALB will forward the traffic to them internally. Moving the instances to public subnets or modifying their route tables directly is unnecessary and reduces the security posture of the application.