Database Security Group Configuration
Question
A user has created a VPC with the public and private subnets using the VPC wizard.
The VPC has CIDR 10.0.0.0/16
The public subnet uses CIDR 10.0.0.0/24
The user plans to host a web server in the public subnet with port 80 and a Database server in the private subnet with port 3306
The user configures the security groups for the web server (WebSecGrp) and the Database server (DBSecGrp)
Which of the below mentioned entries is required in the database security group DBSecGrp?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A.
Since the Web server needs to talk to the database server on port 3306, the database server should allow the incoming traffic on port 3306
The below table from the AWS documentation shows how the security groups should be set up.
Option B is incorrect because you need to allow incoming access for the database server from the WebSecGrp security group.
Option C is incorrect because you need to allow inbound traffic on port 3306.
Option D is incorrect because there is no need to open port 80 in this scenario.
For more information on security groups, please visit the below Link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
The correct answer is A. Allow Inbound on port 3306 for the Source WebSecGrp.
Explanation:
When creating a VPC with public and private subnets, it is a best practice to isolate resources into different subnets. The public subnet is used to host resources that require public access, such as web servers, while the private subnet is used to host resources that should not be directly accessible from the internet, such as databases.
Security groups act as virtual firewalls for EC2 instances, controlling inbound and outbound traffic. Each security group has a set of inbound and outbound rules that determine what traffic is allowed in and out of the instances associated with that security group.
In this scenario, the user plans to host a web server in the public subnet with port 80 and a database server in the private subnet with port 3306. The user configures the security groups for the web server (WebSecGrp) and the database server (DBSecGrp).
To allow traffic from the web server to the database server, the user needs to add an inbound rule to the database security group (DBSecGrp) that allows traffic from the source security group of the web server (WebSecGrp) on port 3306.
Option A. Allow Inbound on port 3306 for the Source WebSecGrp is the correct answer, as it allows traffic from the source security group of the web server (WebSecGrp) on port 3306.
Option B. Allow Inbound on port 3306 from the source 10.0.0.0/16 is incorrect, as it allows traffic from any IP address in the VPC on port 3306. This would expose the database server to the internet, which is not desirable.
Option C. Allow Outbound on port 3306 for the Destination WebSecGrp is incorrect, as it allows traffic from the database server to the web server on port 3306. This is not necessary, as the database server is the destination, not the source, of the traffic.
Option D. Allow Outbound on port 80 for the Destination NAT Instance IP is also incorrect, as it allows traffic from the web server to a NAT instance on port 80. This is not necessary, as the web server is not communicating with a NAT instance in this scenario.
