How should a solutions architect configure the communication between the EC2 instances and the DB instance?

By:
In: SAA-C02
Tagged:
With: 1 Comment
A company is designing an application to run in a VPC on AWS.The application consists of Amazon EC2 instances that run in private subnets as part of an AutoScaling group.The application also includes a Network Load Balancer that extends across public subnets.The application stores data in an Amazon RDS DB instance.The company has attached a security group that is named `web-servers` to the EC2 instances.The company has attached a security group that is named`database` to the DB instance.

How should a solutions architect configure the communication between the EC2 instances and the DB instance?

Configure the ג€web-serversג€ security group to allow access to the DB instance’s current IP addresses. Configure the ג€databaseג€ security group to allow access from the current set of IP addresses in use by the EC2 instances.

Configure the ג€web-serversג€ security group to allow access to the ג€databaseג€ security group. Configure the ג€databaseג€ security group to allow access from the ג€web-serversג€ security group.

Configure the ג€web-serversג€ security group to allow access to the DB instance’s current IP addresses. Configure the ג€databaseג€ security group to allow access from the Auto Scaling group.

Configure the ג€web-serversג€ security group to allow access to the ג€databaseג€ security group. Configure the ג€databaseג€ security group to allow access from the Auto Scaling group.

Explanations:

Security groups should be used to control traffic based on group names, not IP addresses. Manually configuring IP addresses could lead to issues when the IPs of the EC2 instances change due to Auto Scaling.

This is the correct approach. Security groups allow for referencing other security groups, so configuring theweb-serverssecurity group to allow access to thedatabasesecurity group (and vice versa) ensures secure communication between the EC2 instances and the DB instance regardless of IP address changes.

Configuring security groups based on static IP addresses is not ideal and could lead to scalability issues. Also, an Auto Scaling group does not have fixed IP addresses, so the solution would not work efficiently.

While it is correct to allow communication from theweb-serverssecurity group to thedatabasesecurity group, thedatabasesecurity group should not allow access from the Auto Scaling group directly. Security groups should reference other security groups, not groups of EC2 instances like Auto Scaling groups.

2025-10-15

1 Comment

  1. Elijah
    Author

    I rank that the answer is:
    Configure the ג€web-serversג€ security group to allow access to the ג€databaseג€ security group. Configure the ג€databaseג€ security group to allow access from the ג€web-serversג€ security group.

Leave a Reply

Your email address will not be published. Required fields are marked *

10 + fourteen =