AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is deploying a two-tier web application in a VPC. The web tier is using an Amazon EC2 Auto Scaling group with public subnets that span multiple Availability Zones. The database tier consists of an Amazon RDS for MySQL DB instance in separate private subnets. The web tier requires access to the database to retrieve product information.

The web application is not working as intended. The web application reports that it cannot connect to the database. The database is confirmed to be up and running. All configurations for the network ACLs, security groups, and route tables are still in their default states.

What should a solutions architect recommend to fix the application?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Add an explicit rule to the private subnet's network ACL to allow traffic from the web tier's EC2 instances.

Add a route in the VPC route table to allow traffic between the web tier's EC2 instances and the database tier.

Deploy the web tier's EC2 instances and the database tier's RDS instance into two separate VPCs, and configure VPC peering.

Add an inbound rule to the security group of the database tier's RDS instance to allow traffic from the web tiers security group.

Explanation:

Explanation

Correct Answer: D - Add an inbound rule to the security group of the database tier's RDS instance to allow traffic from the web tier's security group.

Why this is correct:

Security Groups are Stateful Firewalls: Security groups act as virtual firewalls for EC2 instances and RDS instances. By default, security groups deny all inbound traffic and allow all outbound traffic.
Default State Issue: The problem states that "All configurations for the network ACLs, security groups, and route tables are still in their default states." This means:
- Network ACLs: Allow all inbound/outbound traffic by default
- Route tables: Have default routes for intra-VPC communication
- Security groups: Deny all inbound traffic by default
Communication Flow: The web tier EC2 instances in public subnets need to connect to the RDS instance in private subnets. For this to work:
- The RDS security group must have an inbound rule allowing traffic from the web tier's security group (or specific IP ranges)
- The web tier security group must allow outbound traffic (which it does by default)

Why other options are incorrect:

A: Network ACLs are stateless and allow all traffic by default in their default state. Adding an explicit rule is unnecessary since default network ACLs already allow all traffic.

B: VPC route tables already have routes for intra-VPC communication by default. The default route table includes routes for all subnets within the VPC to communicate with each other.

C: This is overly complex and unnecessary. The web tier and database tier can communicate within the same VPC. Creating separate VPCs with peering would add unnecessary complexity and cost.

Key AWS Concepts:

Security groups are the primary mechanism for controlling traffic to AWS resources
Default security groups deny all inbound traffic
Network ACLs are stateless and operate at the subnet level
Route tables handle routing between subnets and to external networks
Intra-VPC communication is enabled by default through VPC routing tables

Powered ByGPT-5.2

Comments

Loading comments...