Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?

By:
In: SAP-C01
Tagged:
With: 1 Comment
You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an e-commerce platform to Amazon Virtual Private Cloud(VPC) The previous architect has already deployed a 3-tier VPC.The configuration is as follows:VPC: vpc-2f8bc447 -IGW: igw-2d8bc445 -NACL: ad-208bc448 -Subnets and Route Tables:Web servers: subnet-258bc44d -Application servers: subnet-248bc44cDatabase servers: subnet-9189c6f9Route Tables:rrb-218bc449rtb-238bc44bAssociations:subnet-258bc44d : rtb-218bc449subnet-248bc44c : rtb-238bc44bsubnet-9189c6f9 : rtb-238bc44bYou are now ready to begin deploying EC2 instances into the VPC  Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet.

Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?

Create a bastion and NAT instance in subnet-258bc44d, and add a route from rtb- 238bc44b to the NAT instance.

Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within subnet-248bc44c.

Create a bastion and NAT instance in subnet-248bc44c, and add a route from rtb- 238bc44b to subnet-258bc44d.

Create a bastion and NAT instance in subnet-258bc44d, add a route from rtb-238bc44b to Igw-2d8bc445, and a new NACL that allows access between subnet-258bc44d and subnet-248bc44c.

Explanations:

This option places the NAT and bastion hosts in the public subnet (subnet-258bc44d) with a route to the internet, allowing controlled access to internal servers and enabling them to retrieve updates from the internet.

Routing rtb-238bc44b to the internet gateway (IGW) would expose the private subnets directly to the internet, violating the security requirement.

Creating the NAT and bastion in subnet-248bc44c (private subnet) would not work since this subnet lacks internet access, making it unable to retrieve updates.

Routing rtb-238bc44b to the IGW would expose the private subnets to the internet, violating the requirement for application and database servers to remain isolated.

2025-10-19

1 Comment

  1. Ashley
    Author

    As far as I’m aware, the answer is:
    Create a bastion and NAT instance in subnet-258bc44d, and add a route from rtb- 238bc44b to the NAT instance.

Leave a Reply

Your email address will not be published. Required fields are marked *

one × 4 =