Answer-first summary for fast verification
Answer: Deploy an Application Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the security group to allow only the web servers to access the application servers.
## Explanation The correct answer is **D** because: 1. **Security Groups vs Network ACLs**: Security groups operate at the instance level and are stateful, while network ACLs operate at the subnet level and are stateless. For controlling access between EC2 instances within the same VPC, security groups are the preferred and more granular method. 2. **Application Load Balancer (ALB)**: An ALB is appropriate for web applications as it operates at Layer 7 (application layer) and can route traffic based on content. It works well with Auto Scaling groups. 3. **Proper Architecture**: The solution uses an ALB with a target group containing the application servers' Auto Scaling group, and then configures the security group to allow only the web servers to access the application servers. This ensures: - Traffic flows through the ALB - Security group rules restrict access to only web servers - Auto Scaling integration is maintained **Why other options are incorrect**: - **A**: AWS PrivateLink is for private connectivity to AWS services, not for internal VPC traffic between EC2 instances. - **B**: VPC endpoints are for connecting to AWS services privately, not for load balancing between EC2 instances. - **C**: Network Load Balancer (NLB) operates at Layer 4 and is less suitable for web applications compared to ALB. Also, using network ACLs instead of security groups is less granular and more complex to manage for this use case. **Key AWS Concepts**: - **Security Groups**: Act as virtual firewalls for EC2 instances, controlling inbound and outbound traffic - **Application Load Balancer**: Distributes application traffic across multiple targets - **Auto Scaling Groups**: Automatically adjust the number of EC2 instances based on demand - **Target Groups**: Route requests to registered targets using specified protocol and port
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company is designing a new multi-tier web application that consists of the following components:
A solutions architect needs to limit access to the application servers so that only the web servers can access them.
Which solution will meet these requirements?
A
Deploy AWS PrivateLink in front of the application servers. Configure the network ACL to allow only the web servers to access the application servers.
B
Deploy a VPC endpoint in front of the application servers. Configure the security group to allow only the web servers to access the application servers.
C
Deploy a Network Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the network ACL to allow only the web servers to access the application servers.
D
Deploy an Application Load Balancer with a target group that contains the application servers' Auto Scaling group. Configure the security group to allow only the web servers to access the application servers.