What should a solutions architect recommend to fix the application?
Add an explicit rule to the private subnet’s network ACL to allow traffic from the web tier’s EC2 instances.
Add a route in the VPC route table to allow traffic between the web tier’s EC2 instances and the database tier.
Deploy the web tier’s EC2 instances and the database tier’s RDS instance into two separate VPCs, and configure VPC peering.
Add an inbound rule to the security group of the database tier’s RDS instance to allow traffic from the web tiers security group.
Explanations:
Network ACLs in the default state allow all inbound and outbound traffic. If the web tier’s EC2 instances are in a public subnet, they should be able to communicate with the database in a private subnet without needing explicit rules, assuming the security groups allow it.
The default route tables allow traffic between subnets within the same VPC. Since no specific routes are blocking communication between the web tier and the database tier, adding a route is unnecessary and does not address the security constraints that are likely in place.
Deploying the web tier and the database tier in separate VPCs with VPC peering would unnecessarily complicate the architecture. It is not needed since they can communicate within the same VPC, provided that security groups are configured correctly.
The RDS instance’s default security group does not allow inbound traffic from other security groups unless explicitly configured. Adding an inbound rule to allow traffic from the web tier’s security group is necessary for the web application to connect to the database.