AWS Certified Advanced Networking - Specialty Exam: Troubleshooting Web Server and Database Connectivity in a Disaster Recovery Scenario

Troubleshooting Web Server and Database Connectivity in a Disaster Recovery Scenario

Prev Question Next Question

Question

You have an EC2 Instance in a VPC which has 2 AZ's.

The EC2 Instance has an ENI with a public and private IP address.

The EC2 Instance is hosting a web server.

This web server connects to a database RDS Instance.

There is a backup web server available on another subnet.

You have initiated a disaster recovery scenario and detached the ENI from it's original instance and attached it to the backup web server's instance in the other subnet.

When you try to use the web application, it now seems that the web server cannot connect to the database server.

Which of the following could be the underlying issue?

Answers

A. The database server needs to get a new public IP to work with the ENI.

B. The security group for the database is blocking the traffic from the webserver subnet

C. The instance needs to be restarted so that it can start using the ENI

D. The backup web server needs to get a new public IP to work with the ENI.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

If you already had a Security Group that was allowing traffic from the original private IP of the ENI, this would not be in effect when the ENI is moved to the newer subnet.

Hence the Security Group for the database would ideally need to be modified to ensure the traffic can flow from the new web server to the database server.

For more information on Elastic Network interfaces, please refer to below URL:

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

The underlying issue in this scenario is likely option B: the security group for the database is blocking traffic from the web server subnet.

When an ENI is detached from its original instance and attached to a new instance, it retains its IP addresses and other configuration settings, including any security group rules associated with it.

Since the web server is able to connect to the database server before the ENI is detached, we can assume that the security group rules for the web server are correct. However, when the ENI is attached to the backup web server's instance, the security group rules for that instance are now in effect. If these rules do not allow traffic from the web server subnet to the database server, then the web server will not be able to connect to the database.

Option A, "the database server needs to get a new public IP to work with the ENI," is incorrect because the database server should not be configured to use the ENI's public IP address in the first place. Typically, a database server in a VPC would use a private IP address and would not have a public IP address assigned to it.

Option C, "the instance needs to be restarted so that it can start using the ENI," is incorrect because attaching an ENI to an instance does not require a restart of the instance. The instance should be able to use the ENI immediately after it is attached.

Option D, "the backup web server needs to get a new public IP to work with the ENI," is also incorrect because the ENI should already have a public IP address associated with it. If the backup web server needs to communicate with the internet using a different public IP address, this should be configured separately, and should not affect the ability of the web server to connect to the database.

Prev Question Next Question