Virtual Private Cloud Quiz

C. Change the security groups for the cluster.
The question is describing a scenario where it has been instructed that the database servers should only be accessible to web servers in the public subnet.You have been asked which one of the following is not a recommended architecture based on the scenario.The answer is option C. “Ensure the web server security group allows MySQL port 3306 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.”Here in this Option C, we are allowing all the incoming traffic from the internet to the database port which is not acceptable as per the architecture.​A similar setup is given in AWSDocumentation:
1) To ensure that traffic can flow into your web server from anywhere on secure traffic, you need to allow inbound security at 443
2) You need to then ensure that traffic can flow from the database server to the web server via the database security group.The below snapshot from AWS Documentation shows the rules tables for the security groups which relate to the same requirements as the question.
For more information on this use case scenario, please visit the following URL
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
The requirement in the question states that the database servers should only be accessible to web servers in the public subnet.
The answer option C – “Ensure the web server security group allows MySQL port 3306 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.” is not a recommended architecture for the above scenario. Here, we allow all the incoming traffic from the Internet to the database port which is not acceptable as per the architecture.