AWS Certified Solutions Architect – Associate (SAA-C02) — Question 796

A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2 Auto Scaling group with public subnets that span multiple
Availability Zones. The database tier consists of Amazon RDS for MySQL DB instance in separate private subnets. The web tier requires access to the database to retrieve product information.
The web application is not working as intended. The web application reports that it cannot connect to the database. The database is confirmed to be up and running. All configurations for the network ACLs, security groups, and route tables are still in their default states.
What should a solutions architect recommend to fix the application?

Answer options

• A. Add an explicit rule to the private subnet's network ACL to allow traffic from the web tier's EC2 instances.
• B. Add a route in the VPC route table to allow traffic between the web tier's EC2 instances and the database tier.
• C. Deploy the web tier's EC2 instances and the database tiers RDs instance into two separate VPCs, and configure VPC peering.
• D. Add an inbound rule to the security group of the database tier's RDS Instance to allow traffic from the web tier's security group.

Correct answer: D

Explanation

By default, security groups block all inbound traffic unless explicitly permitted. To allow the web tier to connect to the Amazon RDS DB instance, an inbound rule must be added to the RDS security group that permits traffic from the web tier's security group. Default network ACLs and local routes within a VPC already permit all internal communication, so modifying them is not required.