Which solutions would be the best to satisfy all the above requirements for your planned public website on AWS?
(Choose two.)
Set up both the public website and the database on a public subnet and block all incoming requests from the Internet with a Network Access Control List (NACL)
Set up both the public website and the database on a public subnet, and block all incoming requests from the Internet with a security group which only allows access from the IP of the public website.
Set up the public website on a public subnet and set up the database in a private subnet which connects to the Internet via a NAT instance.
Set up both the public website and the database on a private subnet and block all incoming requests from the Internet with a Network Access Control List (NACL). Set up a Security group between the public website and the database which only allows access via port 80.
Explanations:
Setting up both the public website and the database on a public subnet exposes the database to incoming traffic from the Internet, which violates the requirement of not allowing incoming traffic to the database. Network Access Control Lists (NACLs) can filter traffic but are not as granular as security groups. Thus, this configuration does not meet the security requirements.
While using a security group to limit access to the database from the public website’s IP is better than a NACL, placing both the public website and the database in a public subnet exposes the database to the Internet. This configuration still does not fulfill the requirement of preventing incoming traffic to the database.
This option correctly places the public website in a public subnet, allowing it to receive incoming traffic from the Internet, while the database is placed in a private subnet. The database can connect to the Internet for updates through a NAT instance, and since it is in a private subnet, it is not directly accessible from the Internet, satisfying all requirements.
Although placing both the public website and the database in a private subnet would prevent incoming Internet traffic to the database, it would also prevent the public website from being accessible to users on the Internet. This configuration does not meet the requirement of having a public website while also protecting the database from incoming traffic.