AWS Certified Solutions Architect – Professional — Question 557

A user is hosting a public website on AWS. The user wants to have the database and the app server on the AWS VPC. The user wants to setup a database that can connect to the Internet for any patch upgrade but cannot receive any request from the internet. How can the user set this up?

Answer options

• A. Setup DB in a private subnet with the security group allowing only outbound traffic.
• B. Setup DB in a public subnet with the security group allowing only inbound data.
• C. Setup DB in a local data center and use a private gateway to connect the application with DB.
• D. Setup DB in a private subnet which is connected to the internet via NAT for outbound.

Correct answer: D

Explanation

To allow resources in a private subnet to initiate outbound connections to the internet for updates while blocking unsolicited inbound connections, you must use a NAT gateway or NAT instance. Placing the database in a private subnet ensures it has no public IP address, preventing direct internet access, while the NAT device safely routes the outbound-only traffic. Simply modifying security group rules in a private subnet without a NAT gateway will not grant internet access, as the subnet lacks a route to the internet.