Answer-first summary for fast verification
Answer: Create public subnets in each Availability Zone. Associate the public subnets with the ALB. Update the route tables for the public subnets with a route to the private subnets.
## Explanation This question addresses a common architectural issue with Application Load Balancers (ALBs) and private subnets. ### Key Points: 1. **Internet-facing ALB Requirements**: An internet-facing ALB must be deployed in public subnets with a route to an internet gateway. 2. **Private Subnet EC2 Instances**: EC2 instances in private subnets cannot have direct internet access (they use NAT gateways for outbound internet access). 3. **Current Problem**: The ALB is internet-facing but likely deployed in private subnets or without proper routing configuration. ### Why Option D is Correct: - **Create public subnets in each Availability Zone**: ALBs need to be in public subnets to receive internet traffic. - **Associate the public subnets with the ALB**: This ensures the ALB can receive traffic from the internet. - **Update the route tables for the public subnets with a route to the private subnets**: This allows the ALB to route traffic to the EC2 instances in private subnets. ### Why Other Options are Incorrect: - **Option A**: Replacing ALB with NLB is unnecessary and doesn't solve the subnet/routing issue. NAT gateway is for outbound traffic from private instances, not inbound traffic. - **Option B**: Moving EC2 instances to public subnets exposes them directly to the internet, which is a security risk and not a best practice for web applications. - **Option C**: Updating route tables for private subnets to send 0.0.0.0/0 through internet gateway would give EC2 instances direct internet access, but doesn't solve the ALB's ability to receive internet traffic. ### Best Practice Architecture: 1. Internet-facing ALB in public subnets with route to internet gateway 2. EC2 instances in private subnets 3. ALB routes traffic to EC2 instances through VPC routing 4. EC2 instances use NAT gateway for outbound internet access This configuration provides security (EC2 instances in private subnets) while allowing internet traffic to reach them through the ALB.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company runs a web application on Amazon EC2 instances in multiple Availability Zones. The EC2 instances are in private subnets. A solutions architect implements an internet-facing Application Load Balancer (ALB) and specifies the EC2 instances as the target group. However, the internet traffic is not reaching the EC2 instances.
How should the solutions architect reconfigure the architecture to resolve this issue?
A
Replace the ALB with a Network Load Balancer. Configure a NAT gateway in a public subnet to allow internet traffic.
B
Move the EC2 instances to public subnets. Add a rule to the EC2 instances' security groups to allow outbound traffic to 0.0.0.0/0.
C
Update the route tables for the EC2 instances' subnets to send 0.0.0.0/0 traffic through the internet gateway route. Add a rule to the EC2 instances' security groups to allow outbound traffic to 0.0.0.0/0.
D
Create public subnets in each Availability Zone. Associate the public subnets with the ALB. Update the route tables for the public subnets with a route to the private subnets.