AWS Certified Solutions Architect – Associate (SAA-C03) — Question 380

A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2 Auto Scaling group with public subnets that span multiple Availability Zones. The database tier consists of an Amazon RDS for MySQL DB instance in separate private subnets. The web tier requires access to the database to retrieve product information.

The web application is not working as intended. The web application reports that it cannot connect to the database. The database is confirmed to be up and running. All configurations for the network ACLs, security groups, and route tables are still in their default states.

What should a solutions architect recommend to fix the application?

Answer options

• A. Add an explicit rule to the private subnet’s network ACL to allow traffic from the web tier’s EC2 instances.
• B. Add a route in the VPC route table to allow traffic between the web tier’s EC2 instances and the database tier.
• C. Deploy the web tier's EC2 instances and the database tier’s RDS instance into two separate VPCs, and configure VPC peering.
• D. Add an inbound rule to the security group of the database tier’s RDS instance to allow traffic from the web tiers security group.

Correct answer: D

Explanation

By default, newly created security groups block all inbound traffic, meaning the RDS instance's security group is preventing the web tier from connecting. Adding an inbound rule to the RDS security group that allows traffic from the web tier's security group resolves this block. Default network ACLs and VPC route tables already allow all internal subnet-to-subnet communication, so modifications to those components are unnecessary.