Which solution will meet these requirements?
Create a new route table that excludes the route to the public subnets’ CIDR blocks. Associate the route table with the database subnets.
Create a security group that denies inbound traffic from the security group that is assigned to instances in the public subnets. Attach the security group to the DB instances.
Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances.
Create a new peering connection between the public subnets and the private subnets. Create a different peering connection between the private subnets and the database subnets.
Explanations:
A route table excluding the public subnet routes will not isolate access to the RDS databases effectively, as this does not control traffic flow from private subnets. Route table settings alone cannot enforce network restrictions within the VPC.
Security groups cannot deny traffic in AWS; they only allow specific traffic by default. This option suggests denial-based security configurations, which are not possible in AWS security groups.
This solution uses security groups to explicitly allow traffic only from instances in private subnets, thus permitting access only from intended EC2 instances to the RDS databases, fulfilling the requirement.
Peering connections between subnets within the same VPC are not applicable. Subnets in a VPC are inherently connected, so peering is unnecessary and cannot enforce the specified access control.
As far as I’m aware, the answer is:
Create a security group that allows inbound traffic from the security group that is assigned to instances in the private subnets. Attach the security group to the DB instances.