Practice Test 2 | AWS Certified Solutions Architect Associate | SAA-C03 | Dumps | Mock Test
A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default ACL settings. The web servers must be accessible only to customers on an SSL connection and the database should only be accessible to web servers in a public subnet. As an architect, which of the following would you not recommend for such an architecture?
A. Create a separate web server and database server security group.
B. Ensure the web server security group allows HTTPS port 443 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.
C. Ensure the web server security group allows MySQL port 3306 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.
D. Ensure the DB server security group allows MySQL port 3306 inbound and specify thesource as the web server security group.
Explanation:
Answer – C
The question is describing a scenario where it has been instructed that the database servers should only be accessible to web servers in the public subnet.
You have been asked which one of the following is not a recommended architecture based on the scenario.
The answer is option C. “Ensure the web server security group allows MySQL port 3306 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.”
Here in this Option C, we are allowing all the incoming traffic from the internet to the database port which is not acceptable as per the architecture.?
A similar setup is given in AWS Documentation:
1) To ensure that traffic can flow into your web server from anywhere on secure traffic, you need to allow inbound security at 443.
2) You need to then ensure that traffic can flow from the database server to the web server via the database security group.
The below snapshot from AWS Documentation shows the rules tables for the security groups which relate to the same requirements as the question.
For more information on this use case scenario, please visit the following URL:
The requirement in the question states that the database servers should only be accessible to web servers in the public subnet.
The answer option C – “Ensure the web server security group allows MySQL port 3306 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.” is not a recommended architecture for the above scenario. Here, we allow all the incoming traffic from the Internet to the database port which is not acceptable as per the architecture.
The question asks that database should only be accessible to the webservers in the public subnet.
Now in option D database server’s sec grp allows inbound at port 3306 and source of the traffic as Webserver sec grp that means request traffic from webserver is allowed to the DB server Since security groups are stateful , response will also be allowed from DB to the webserver. Thus allowing the communication between them So the option D is right.
But wrong in terms of this question as you have to choose an incorrect/wrong option.
Note:
The question asks you to find out which of the following is not recommend i.e. incorrect and the option C is not correct because of the incorrect inbound rule. Hence it is the answer.
Comments are closed, but trackbacks and pingbacks are open.