What should a solutions architect recommend to fix the application?

By:
In: SAA-C02
Tagged:
With: 2 Comments
A company is deploying a two-tier web application in a VPC.The web tier is using an Amazon EC2 Auto Scaling group with public subnets that span multipleAvailability Zones.The database tier consists of Amazon RDS for MySQL DB instance in separate private subnets.The web tier requires access to the database to retrieve product information.The web application is not working as intended.The web application reports that it cannot connect to the database.The database is confirmed to be up and running.All configurations for the network ACLs, security groups, and route tables are still in their default states.

What should a solutions architect recommend to fix the application?

Add an explicit rule to the private subnet’s network ACL to allow traffic from the web tier’s EC2 instances.

Add a route in the VPC route table to allow traffic between the web tier’s EC2 instances and the database tier.

Deploy the web tier’s EC2 instances and the database tiers RDs instance into two separate VPCs, and configure VPC peering.

Add an inbound rule to the security group of the database tier’s RDS Instance to allow traffic from the web tier’s security group.

Explanations:

Network ACLs in their default state allow all inbound and outbound traffic. Since the web tier EC2 instances are in public subnets and the RDS instance is in private subnets, the default settings should not block traffic unless explicitly configured otherwise. Therefore, no additional rules are needed.

Route tables in their default state allow local VPC traffic. Since the web tier EC2 instances and the RDS instance are in the same VPC, no specific route needs to be added to facilitate communication between them.

Deploying the web tier’s EC2 instances and the RDS instance into separate VPCs would complicate the architecture unnecessarily. VPC peering could be set up, but this is not needed since both tiers can communicate within the same VPC with proper security configurations.

By default, security groups do not allow any inbound traffic unless explicitly allowed. To allow the web tier’s EC2 instances to connect to the RDS instance, an inbound rule must be added to the RDS instance’s security group, permitting traffic from the security group of the web tier’s EC2 instances. This is the necessary configuration to enable access from the web tier to the database.

2026-04-07

2 Comments

  1. Ryan
    Author

    From what I’ve seen, the answer is:
    Add an inbound rule to the security group of the database tier’s RDS Instance to allow traffic from the web tier’s security group.

  2. Mason
    Author

    I systematize that the answer is:
    Add an inbound rule to the security group of the database tier’s RDS Instance to allow traffic from the web tier’s security group.

Leave a Reply

Your email address will not be published. Required fields are marked *

17 − sixteen =