AWS Certified SysOps Administrator – Associate (legacy) — Question 543

A company needs to deploy a web application on two Amazon EC2 instances behind an Application Load Balancer (ALB). Two EC2 instances will also be deployed to host the database. The infrastructure needs to be designed across Availability Zones for high availability and must limit public access to the instances as much as possible.
How should this be achieved within a VPC?

Answer options

• A. Create one public subnet for the Application Load Balancer, one public subnet for the web servers, and one private subnet for the database servers.
• B. Create one public subnet for the Application Load Balancer, two public subnets for the web servers, and two private subnets for the database servers.
• C. Create two public subnets for the Application Load Balancer, two private subnets for the web servers, and two private subnets for the database servers.
• D. Create two public subnets for the Application Load Balancer, two public subnets for the web servers, and two public subnets for the database servers.

Correct answer: C

Explanation

To achieve high availability across multiple Availability Zones, the Application Load Balancer (ALB) must be deployed across at least two public subnets. To minimize public exposure as required, both the web application EC2 instances and the database EC2 instances should be placed in private subnets, allowing public traffic to enter only through the ALB. Placing any EC2 instances in public subnets unnecessarily increases the attack surface and violates security best practices.