I have a web application with the following VPC configuration as shown below.
Subnet 1 (172.31.0.0/20) hosts a Web server(on a EC2 instance ) & Subnet 2(172.31.16.0/20) hosts a Database Server (on a EC2 instance)
Which of the statements mentioned below does NOT define good practice from a Security & Compliance perspective & which may be modified in the Diagram? Select TWO.
Click on the arrows to vote for the correct answer
A. B. C. D. E.Answers: D and E.
The figure shown above shows that both the Database Server & the Web Server have routes to the internet gateway using the Main Route table.
Database servers are usually hosted in a non-DMZ zone which offers more protection from outside attack.
Also, since web servers are front-ending the application requests, it should not be necessary to expose the backend database directly to the internet.
Option A is incorrect.
Since the Web Server front-ends application requests, it should have a route to the Internet Gateway for accessing it from the Internet.
Option B is incorrect.
A default subnet provides both a Public Ipv4 & a Private Ipv4 address.
The Web Server will require either a Public IP or Elastic IP to be accessible from the Internet.
Option C is incorrect.
A NAT gateway provides an Egress only access to the internet by allowing the DataBase server to connect to the internet to update software patches.
This is a good practice for disallowing direct Ingress access to the DataBase Server from the internet.
The diagram can be modified to reflect this change.
Option D is CORRECT.
Since the database does not require a Public IP, it is suitable to host the DB Server on a non-default subnet that does not allocate a Public IP by default.
Option E is CORRECT.
The database server should not have a route to the Internet Gateway.
Diagram:
References:
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html https://www.testpreptraining.com/tutorial/aws-cloud-practitioner/aws-cloud-security/