AWS Certified Solutions Architect – Associate (SAA-C02) — Question 764

A company is designing an application to run in a VPC on AWS. The application consists of Amazon EC2 instances that run in private subnets as part of an Auto
Scaling group. The application also includes a Network Load Balancer that extends across public subnets. The application stores data in an Amazon RDS DB instance.
The company has attached a security group that is named `web-servers` to the EC2 instances. The company has attached a security group that is named
`database` to the DB instance.
How should a solutions architect configure the communication between the EC2 instances and the DB instance?

Answer options

• A. Configure the ג€web-serversג€ security group to allow access to the DB instance's current IP addresses. Configure the ג€databaseג€ security group to allow access from the current set of IP addresses in use by the EC2 instances.
• B. Configure the ג€web-serversג€ security group to allow access to the ג€databaseג€ security group. Configure the ג€databaseג€ security group to allow access from the ג€web-serversג€ security group.
• C. Configure the ג€web-serversג€ security group to allow access to the DB instance's current IP addresses. Configure the ג€databaseג€ security group to allow access from the Auto Scaling group.
• D. Configure the ג€web-serversג€ security group to allow access to the ג€databaseג€ security group. Configure the ג€databaseג€ security group to allow access from the Auto Scaling group.

Correct answer: C

Explanation

To enable proper communication, the `web-servers` security group must allow outbound traffic targeting the specific IP addresses utilized by the DB instance. Concurrently, the `database` security group must be configured to accept incoming traffic from the Auto Scaling group to handle dynamic scaling events seamlessly. Other options fail to correctly combine these specific configuration requirements for the security groups.