AWS Certified SysOps Administrator – Associate (legacy) — Question 690

A company needs to deploy a web application on two Amazon EC2 instances behind an Application Load Balancer (ALB). Two EC2 instances will also be deployed to host the database. The infrastructure needs to be designed across Availability Zones (AZs) for high availability and must limit public access to the instances as much as possible.
How should this be achieved within a VPC?

Answer options

• A. Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a private subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.
• B. Use two AZs and create a public subnet in each AZ for the Application Load Balancer, a public subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.
• C. Use two AZs and create one public subnet for the Application Load Balancer, a private subnet in each AZ for the web servers, and a public subnet in each AZ for the database servers.
• D. Use two AZs and create one public subnet for the Application Load Balancer, a public subnet in each AZ for the web servers, and a private subnet in each AZ for the database servers.

Correct answer: A

Explanation

To achieve high availability, the Application Load Balancer (ALB) must be deployed across at least two Availability Zones (AZs) in public subnets to accept internet traffic. To minimize public access, both the web servers and the database servers must be placed in private subnets across those AZs, where they can only be accessed through the ALB or internal routing. The other options either fail to distribute the ALB across multiple AZs for high availability or expose private resources (web or database servers) to the public internet unnecessarily.