AWS Certified Solutions Architect – Associate (SAA-C03) — Question 988

A company is designing a new multi-tier web application that consists of the following components:

• Web and application servers that run on Amazon EC2 instances as part of Auto Scaling groups
• An Amazon RDS DB instance for data storage

A solutions architect needs to limit access to the application servers so that only the web servers can access them.

Which solution will meet these requirements?

Answer options

• A. Deploy AWS PrivateLink in front of the application servers. Configure the network ACL to allow only the web servers to access the application servers.
• B. Deploy a VPC endpoint in front of the application servers. Configure the security group to allow only the web servers to access the application servers.
• C. Deploy a Network Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the network ACL to allow only the web servers to access the application servers.
• D. Deploy an Application Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the security group to allow only the web servers to access the application servers.

Correct answer: D

Explanation

Deploying an Application Load Balancer (ALB) is the standard method for distributing HTTP/HTTPS traffic to an Auto Scaling group of application servers. By configuring the application servers' security group to only accept incoming traffic from the security group of the web servers, you establish a secure, stateful, and restricted communication path. Network ACLs operate statelessly at the subnet level and are not suitable for instance-to-instance security group referencing, while AWS PrivateLink and VPC endpoints are not designed for this type of internal load balancing.