AWS Certified Solutions Architect – Professional — Question 445

An organization is planning to setup a management network on the AWS VPC. The organization is trying to secure the webserver on a single VPC instance such that it allows the internet traffic as well as the back-end management traffic. The organization wants to make so that the back end management network interface can receive the SSH traffic only from a selected IP range, while the internet facing webserver will have an IP address which can receive traffic from all the internet
IPs.
How can the organization achieve this by running web server on a single instance?

Answer options

• A. It is not possible to have two IP addresses for a single instance.
• B. The organization should create two network interfaces with the same subnet and security group to assign separate IPs to each network interface.
• C. The organization should create two network interfaces with separate subnets so one instance can have two subnets and the respective security groups for controlled access.
• D. The organization should launch an instance with two separate subnets using the same network interface which allows to have a separate CIDR as well as security groups.

Correct answer: C

Explanation

To isolate public web traffic from administrative management traffic on a single AWS VPC instance, you can attach two Elastic Network Interfaces (ENIs) from different subnets. This allows you to apply a public-facing security group to the public subnet's ENI and a highly restrictive security group (limiting SSH to specific IPs) to the management subnet's ENI. Options A, B, and D are incorrect because an instance can indeed have multiple IPs, using the same subnet/security group defeats the isolation requirement, and a single network interface cannot span multiple subnets simultaneously.