AWS Certified Solutions Architect – Associate (SAA-C03) — Question 976

A solutions architect is developing a VPC architecture that includes multiple subnets. The architecture will host applications that use Amazon EC2 instances and Amazon RDS DB instances. The architecture consists of six subnets in two Availability Zones. Each Availability Zone includes a public subnet, a private subnet, and a dedicated subnet for databases. Only EC2 instances that run in the private subnets can have access to the RDS databases.
Which solution will meet these requirements?

Answer options

• A. Create a new route table that excludes the route to the public subnets' CIDR blocks. Associate the route table with the database subnets.
• B. Create a security group that denies inbound traffic from the security group that is assigned to instances in the public subnets. Attach the security group to the DB instances.
• C. Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances.
• D. Create a new peering connection between the public subnets and the private subnets. Create a different peering connection between the private subnets and the database subnets.

Correct answer: C

Explanation

To restrict database access exclusively to EC2 instances in the private subnets, you should configure a security group for the Amazon RDS DB instances that permits incoming traffic only from the security group associated with those private EC2 instances. Security groups operate at the instance level and support 'allow' rules, making this the most secure and standard approach. Other options like modifying route tables within the same VPC or attempting to use VPC peering inside a single VPC are invalid for this scenario.