How should a solutions architect configure the communication between the EC2 instances and the DB instance?
Configure the ג€web-serversג€ security group to allow access to the DB instance’s current IP addresses. Configure the ג€databaseג€ security group to allow access from the current set of IP addresses in use by the EC2 instances.
Configure the ג€web-serversג€ security group to allow access to the ג€databaseג€ security group. Configure the ג€databaseג€ security group to allow access from the ג€web-serversג€ security group.
Configure the ג€web-serversג€ security group to allow access to the DB instance’s current IP addresses. Configure the ג€databaseג€ security group to allow access from the Auto Scaling group.
Configure the ג€web-serversג€ security group to allow access to the ג€databaseג€ security group. Configure the ג€databaseג€ security group to allow access from the Auto Scaling group.
Explanations:
Security groups should be used to control traffic based on group names, not IP addresses. Manually configuring IP addresses could lead to issues when the IPs of the EC2 instances change due to Auto Scaling.
This is the correct approach. Security groups allow for referencing other security groups, so configuring theweb-serverssecurity group to allow access to thedatabasesecurity group (and vice versa) ensures secure communication between the EC2 instances and the DB instance regardless of IP address changes.
Configuring security groups based on static IP addresses is not ideal and could lead to scalability issues. Also, an Auto Scaling group does not have fixed IP addresses, so the solution would not work efficiently.
While it is correct to allow communication from theweb-serverssecurity group to thedatabasesecurity group, thedatabasesecurity group should not allow access from the Auto Scaling group directly. Security groups should reference other security groups, not groups of EC2 instances like Auto Scaling groups.