What should a solutions architect recommend to fix the application?
Add an explicit rule to the private subnet’s network ACL to allow traffic from the web tier’s EC2 instances.
Add a route in the VPC route table to allow traffic between the web tier’s EC2 instances and the database tier.
Deploy the web tier’s EC2 instances and the database tiers RDs instance into two separate VPCs, and configure VPC peering.
Add an inbound rule to the security group of the database tier’s RDS Instance to allow traffic from the web tier’s security group.
Explanations:
Network ACLs in their default state allow all inbound and outbound traffic. Since the web tier EC2 instances are in public subnets and the RDS instance is in private subnets, the default settings should not block traffic unless explicitly configured otherwise. Therefore, no additional rules are needed.
Route tables in their default state allow local VPC traffic. Since the web tier EC2 instances and the RDS instance are in the same VPC, no specific route needs to be added to facilitate communication between them.
Deploying the web tier’s EC2 instances and the RDS instance into separate VPCs would complicate the architecture unnecessarily. VPC peering could be set up, but this is not needed since both tiers can communicate within the same VPC with proper security configurations.
By default, security groups do not allow any inbound traffic unless explicitly allowed. To allow the web tier’s EC2 instances to connect to the RDS instance, an inbound rule must be added to the RDS instance’s security group, permitting traffic from the security group of the web tier’s EC2 instances. This is the necessary configuration to enable access from the web tier to the database.
From what I’ve seen, the answer is:
Add an inbound rule to the security group of the database tier’s RDS Instance to allow traffic from the web tier’s security group.