How can the security engineer implement this solution?
Create a new security group in the database VPC and create an inbound rule that allows all traffic from the IP address range of the application VPC. Add a new network ACL rule on the database subnets. Configure the rule to TCP port 1521 from the IP address range of the application VPC. Attach the new security group to the database instances that the application instances need to access.
Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Create a new security group in the database VPC with an inbound rule that allows the IP address range of the application VPC over port 1521. Attach the new security group to the database instances and the application instances that need database access.
Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.
Create a new security group in the application VPC with an inbound rule that allows the IP address range of the database VPC over TCP port 1521. Add a new network ACL rule on the database subnets. Configure the rule to allow all traffic from the IP address range of the application VPC. Attach the new security group to the application instances that need database access.
Explanations:
This option combines network ACLs with security groups. Security groups are stateful, and network ACLs are stateless. Using network ACLs to control access based on IP ranges in addition to security groups creates unnecessary complexity. Also, the security group should control access to the database, not a separate network ACL rule.
This option creates security groups that allow access from the IP address range of the other VPC, but security groups should be based on the security group itself, not IP ranges. Additionally, this approach does not leverage the most efficient method of controlling access between resources in VPC peering.
This option correctly uses security groups to control access. The database security group allows incoming connections from the application security group, and the application security group can be attached to the specific EC2 instances that need database access. This ensures that only the appropriate EC2 instances in the application VPC can access the database, maintaining the principle of least privilege.
This option uses network ACLs inappropriately by relying on them to restrict access based on IP ranges. While network ACLs can provide additional security at the subnet level, security groups should be used for controlling access between EC2 instances and the database. Additionally, security groups should manage the inbound and outbound traffic, not network ACLs in this context.
As I understand it, the answer is:
Create a new security group in the application VPC with no inbound rules. Create a new security group in the database VPC with an inbound rule that allows TCP port 1521 from the new application security group in the application VPC. Attach the application security group to the application instances that need database access, and attach the database security group to the database instances.