Which solution will meet these requirements?

By:
In: SAA-C03
Tagged:
With: 1 Comment
A company wants to deploy an internal web application on AWS.The web application must be accessible only from the company’s office.The company needs to download security patches for the web application from the internet.The company has created a VPC and has configured an AWS Site-to-Site VPN connection to the company’s office.A solutions architect must design a secure architecture for the web application.

Which solution will meet these requirements?

Deploy the web application on Amazon EC2 instances in public subnets behind a public Application Load Balancer (ALB). Attach an internet gateway to the VPC. Set the inbound source of the ALB’s security group to 0.0.0.0/0.

Deploy the web application on Amazon EC2 instances in private subnets behind an internal Application Load Balancer (ALB). Deploy NAT gateways in public subnets. Attach an internet gateway to the VPC. Set the inbound source of the ALB’s security group to the company’s office network CIDR block.

Deploy the web application on Amazon EC2 instances in public subnets behind an internal Application Load Balancer (ALB). Deploy NAT gateways in private subnets. Attach an internet gateway to the VPSet the outbound destination of the ALB’s security group to the company’s office network CIDR block.

Deploy the web application on Amazon EC2 instances in private subnets behind a public Application Load Balancer (ALB). Attach an internet gateway to the VPC. Set the outbound destination of the ALB’s security group to 0.0.0.0/0.

Explanations:

Deploying the web application on EC2 instances in public subnets with an ALB exposed to the internet (0.0.0.0/0) allows access from anywhere, which does not meet the requirement for the application to be accessible only from the company’s office.

This option places the web application in private subnets behind an internal ALB, making it accessible only from within the company’s office network via the VPN. The NAT gateways allow the instances to download patches from the internet while keeping them secure and inaccessible from outside the company’s office.

This option incorrectly places the ALB as internal while the EC2 instances are in public subnets, which contradicts the goal of limiting access. Additionally, NAT gateways should be in public subnets, not private subnets, for proper outbound internet access.

This option incorrectly deploys the web application in private subnets behind a public ALB, which would expose it to the internet, failing to restrict access to only the company’s office network. The ALB should not have outbound access set to 0.0.0.0/0 in this context.

2025-10-24

1 Comment

  1. David
    Author

    I map out that the answer is:
    Deploy the web application on Amazon EC2 instances in private subnets behind an internal Application Load Balancer (ALB). Deploy NAT gateways in public subnets. Attach an internet gateway to the VPC. Set the inbound source of the ALB’s security group to the company’s office network CIDR block.

Leave a Reply

Your email address will not be published. Required fields are marked *

five + 19 =