Confirm EC2 Instance Communication in VPC

Answer - A and D.

When you design a web server and database server, the security groups must be defined so that the web server can talk to the database server.

An example image from the AWS documentation is given below.

Also when communicating between subnets you need to have the NACL's defined.

For more information on VPC and Subnets, please visit the below URL:

The correct answers for this question are A and D.

A. A network ACL that allows communication between the two subnets: Network ACLs act as a firewall for controlling traffic to and from subnets in a VPC. By default, all traffic is blocked in and out of a subnet. Therefore, you need to confirm that there is a network ACL rule allowing traffic to pass between the two subnets. Network ACLs operate at the subnet level, so you need to ensure that the network ACLs of both subnets have rules allowing traffic between them.

D. Security groups are set to allow the application host to talk to the database on the right port/protocol: Security groups act as virtual firewalls that control inbound and outbound traffic to and from EC2 instances. You need to confirm that the security group of the database instance allows incoming traffic from the security group of the application instance on the right port/protocol.

B. Both instances are the same instance class and using the same Key-pair: This option is not relevant to the question because instance class and key-pair do not affect communication between instances in a VPC.

C. That the default route is set to a NAT instance or internet Gateway (IGW) for them to communicate: This option is also not relevant to the question. A default route is needed for instances in private subnets to reach the internet, but the question does not require internet access for the instances to communicate with each other.