AWS Certified Solutions Architect – Professional — Question 547

You have been asked to set up a public website on AWS with the following criteria:
You want the database and the application server running on an Amazon VPC. You want the database to be able to connect to the Internet so that it can be automatically updated to the correct patch level.
You do not want to receive any incoming traffic from the Internet to the database.
Which solutions would be the best to satisfy all the above requirements for your planned public website on AWS? (Choose two.)

Answer options

• A. Set up both the public website and the database on a public subnet and block all incoming requests from the Internet with a Network Access Control List (NACL)
• B. Set up both the public website and the database on a public subnet, and block all incoming requests from the Internet with a security group which only allows access from the IP of the public website.
• C. Set up the public website on a public subnet and set up the database in a private subnet which connects to the Internet via a NAT instance.
• D. Set up both the public website and the database on a private subnet and block all incoming requests from the Internet with a Network Access Control List (NACL). Set up a Security group between the public website and the database which only allows access via port 80.

Correct answer: C

Explanation

Placing the public website in a public subnet allows it to accept incoming web traffic, while keeping the database in a private subnet protects it from direct inbound Internet access. Using a NAT instance (or NAT Gateway) allows the database in the private subnet to initiate outbound connections to the Internet for updates while preventing any inbound connections from being initiated from the Internet. Placing both resources in a public subnet or both in a private subnet would violate either the accessibility requirement of the website or the security requirement of the database.