AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company is designing a new multi-tier web application that consists of the following components:

Web and application servers that run on Amazon EC2 instances as part of Auto Scaling groups
An Amazon RDS DB instance for data storage

A solutions architect needs to limit access to the application servers so that only the web servers can access them.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Deploy AWS PrivateLink in front of the application servers. Configure the network ACL to allow only the web servers to access the application servers.

Deploy a VPC endpoint in front of the application servers. Configure the security group to allow only the web servers to access the application servers.

Deploy a Network Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the network ACL to allow only the web servers to access the application servers.

Deploy an Application Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the security group to allow only the web servers to access the application servers.

Explanation:

Explanation

The correct answer is D because:

Security Groups vs Network ACLs: Security groups operate at the instance level and are stateful, while network ACLs operate at the subnet level and are stateless. For controlling access between EC2 instances within the same VPC, security groups are the preferred and more granular method.
Application Load Balancer (ALB): An ALB is appropriate for web applications as it operates at Layer 7 (application layer) and can route traffic based on content. It works well with Auto Scaling groups.
Proper Architecture: The solution uses an ALB with a target group containing the application servers' Auto Scaling group, and then configures the security group to allow only the web servers to access the application servers. This ensures:
- Traffic flows through the ALB
- Security group rules restrict access to only web servers
- Auto Scaling integration is maintained

Why other options are incorrect:

A: AWS PrivateLink is for private connectivity to AWS services, not for internal VPC traffic between EC2 instances.
B: VPC endpoints are for connecting to AWS services privately, not for load balancing between EC2 instances.
C: Network Load Balancer (NLB) operates at Layer 4 and is less suitable for web applications compared to ALB. Also, using network ACLs instead of security groups is less granular and more complex to manage for this use case.

Key AWS Concepts:

Security Groups: Act as virtual firewalls for EC2 instances, controlling inbound and outbound traffic
Application Load Balancer: Distributes application traffic across multiple targets
Auto Scaling Groups: Automatically adjust the number of EC2 instances based on demand
Target Groups: Route requests to registered targets using specified protocol and port

Powered ByGPT-5.2

Comments

Loading comments...