A company wants to deploy an internal web application on AWS. The web application must be…

Question

A company wants to deploy an internal web application on AWS. The web application must be accessible only from the company's office. The company needs to download security patches for the web application from the internet. The company has created a VPC and has configured an AWS Site-to-Site VPN connection to the company's office. A solutions architect must design a secure architecture for the web application. Which solution will meet these requirements?

Accepted Answer

Correct answer: B. B. Deploy the web application on Amazon EC2 instances in private subnets behind an internal Application Load Balancer (ALB). Deploy NAT gateways in public subnets. Attach an internet gateway to the VPC. Set the inbound source of the ALB's security group to the company's office network CIDR block. — Option B is correct because deploying the application on Amazon EC2 instances in private subnets behind an internal ALB ensures that the application is not exposed to the public internet. NAT gateways placed in public subnets allow the private EC2 instances to securely fetch patches from the internet, while restricting the ALB's security group inbound traffic to the office CIDR block ensures only authorized office users can access the application. Options A, C, and D are incorrect because they either expose the application publicly through public ALBs/subnets or utilize an invalid NAT gateway configuration.

AWS Certified Solutions Architect – Associate (SAA-C03) — Question 737

Answer options

Correct answer: B

Explanation