AWS Certified SysOps Administrator – Associate — Question 417

A company hosts its website on Amazon EC2 instances in the us-east-1 Region. The company is preparing to extend its website into the eu-central-1 Region, but the database must remain only in us-east-1. After deployment, the EC2 instances in eu-central-1 are unable to connect to the database in us-east-1.
What is the MOST operationally efficient solution that will resolve this connectivity issue?

Answer options

• A. Create a VPC peering connection between the two Regions. Add the private IP address range of the instances to the inbound rule of the database security group.
• B. Create a VPC peering connection between the two Regions. Add the security group of the instances in eu-central-1 to the outbound rule of the database security group.
• C. Create a VPN connection between the two Regions. Add the private IP address range of the instances to the outbound rule of the database security group.
• D. Create a VPN connection between the two Regions. Add the security group of the instances in eu-central-1 to the inbound rule of the database security group.

Correct answer: A

Explanation

VPC peering is the most operationally efficient way to securely connect VPCs across AWS Regions without the overhead of managing VPN connections. Because security groups cannot be referenced across different Regions in a VPC peering connection, the database's security group must explicitly allow the CIDR block (private IP range) of the remote EC2 instances in its inbound rules.