Which network design should the solutions architect recommend to meet these requirements?
Place the ALB, EC2 instances, and RDS database in private subnets.
Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets.
Place the ALB and EC2 instances in public subnets. Place the RDS database in private subnets.
Place the ALB outside the VPC. Place the EC2 instances and RDS database in private subnets.
Explanations:
Placing the ALB, EC2 instances, and RDS database in private subnets would prevent the ALB from receiving traffic from the internet, which is essential for an internet-facing application.
This design allows the ALB to be accessible from the internet (in public subnets), while the EC2 instances and RDS database are in private subnets, enhancing security by minimizing the exposure of resources.
While this option places the RDS database in a private subnet, having the EC2 instances in public subnets exposes them directly to the internet, which is not aligned with a defense-in-depth approach.
Placing the ALB outside the VPC is not feasible, as ALBs must be placed within a VPC to function correctly. This design would also compromise accessibility and control over the network architecture.
It seems to me that the answer is:
Place the ALB in public subnets. Place the EC2 instances and RDS database in private subnets.