How should the solutions architect reconfigure the architecture to resolve this issue?
Replace the ALB with a Network Load Balancer. Configure a NAT gateway in a public subnet to allow internet traffic.
Move the EC2 instances to public subnets. Add a rule to the EC2 instances’ security groups to allow outbound traffic to 0.0.0.0/0.
Update the route tables for the EC2 instances’ subnets to send 0.0.0.0/0 traffic through the internet gateway route. Add a rule to the EC2 instances’ security groups to allow outbound traffic to 0.0.0.0/0.
Create public subnets in each Availability Zone. Associate the public subnets with the ALB. Update the route tables for the public subnets with a route to the private subnets.
Explanations:
Replacing the ALB with a Network Load Balancer (NLB) does not resolve the issue of the EC2 instances being in private subnets, as an NLB would also require the instances to be reachable directly, which they are not. Additionally, a NAT gateway is used for outbound traffic from private subnets to the internet, not for allowing inbound internet traffic to the instances.
Moving EC2 instances to public subnets would expose them directly to the internet, which is not recommended for security reasons. Additionally, merely adding an outbound rule does not address the inbound traffic issue, and security best practices suggest keeping backend instances in private subnets.
Updating the route tables to send 0.0.0.0/0 traffic through an internet gateway is incorrect because private subnets cannot have a direct route to the internet. The instances remain unreachable from the internet without the necessary routing and security configurations in place.
Creating public subnets for the ALB allows it to receive internet traffic directly. The ALB can then forward this traffic to the EC2 instances in private subnets. This configuration maintains the security of the EC2 instances while allowing them to receive traffic via the ALB, which properly routes requests to the targets in the private subnets.