Answer-first summary for fast verification
Answer: Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1 VPC. Update the subnet route tables. Create an inbound rule in the ap-southeast-2 database security group that references the security group ID of the application servers in eu-west-1.
## Explanation **Correct Answer: B** **Why Option B is correct:** 1. **VPC Peering across regions**: The scenario requires communication between VPCs in different regions (ap-southeast-2 and eu-west-1). VPC peering supports inter-region peering. 2. **Route table updates**: After creating VPC peering, route tables must be updated to route traffic between the peered VPCs. 3. **Security group referencing**: The inbound rule in the ap-southeast-2 database security group correctly references the security group ID of the application servers in eu-west-1. This is a best practice for security group rules as it allows traffic based on security group membership rather than static IP addresses. 4. **Direction of communication**: The applications in eu-west-1 need to communicate with databases in ap-southeast-2, so the security group rule should be on the database security group (in ap-southeast-2) allowing traffic from the application security group (in eu-west-1). **Why other options are incorrect:** - **Option A**: Incorrect because it places the inbound rule on the eu-west-1 application security group (wrong direction) and uses IP addresses instead of security group references. - **Option C**: Incorrect because it uses IP addresses instead of security group references, which is less secure and less maintainable. - **Option D**: Incorrect because Transit Gateway peering is more complex and expensive than VPC peering for this simple two-VPC scenario. While it would work, it's not the most cost-effective or simplest solution. **Key AWS Concepts:** - **Inter-Region VPC Peering**: Allows VPCs in different AWS regions to communicate using private IP addresses. - **Security Group Rules**: Best practice is to reference security group IDs rather than IP addresses for better security and maintainability. - **Route Tables**: Must be updated to route traffic between peered VPCs through the peering connection.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A global marketing company has applications that run in the ap-southeast-2 Region and the eu-west-1 Region. Applications that run in a VPC in eu-west-1 need to communicate securely with databases that run in a VPC in ap-southeast-2.
Which network design will meet these requirements?
A
Create a VPC peering connection between the eu-west-1 VPC and the ap-southeast-2 VPC. Create an inbound rule in the eu-west-1 application security group that allows traffic from the database server IP addresses in the ap-southeast-2 security group.
B
Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1 VPC. Update the subnet route tables. Create an inbound rule in the ap-southeast-2 database security group that references the security group ID of the application servers in eu-west-1.
C
Configure a VPC peering connection between the ap-southeast-2 VPC and the eu-west-1 VPC. Update the subnet route tables. Create an inbound rule in the ap-southeast-2 database security group that allows traffic from the eu-west-1 application server IP addresses.
D
Create a transit gateway with a peering attachment between the eu-west-1 VPC and the ap-southeast-2 VPC. After the transit gateways are properly peered and routing is configured, create an inbound rule in the database security group that references the security group ID of the application servers in eu-west-1.