AWS Certified Solutions Architect - Professional Exam: EC2 Instances and VPC Configuration

Answer - A and D.

In order to have the instances communicate with each other, you need to properly configure both Security Group and Network access control lists (NACLs)

For the exam, remember that the Security Group operates at the instance level, whereas the NACL operates at the subnet level.

Option A is CORRECT because the security groups must be defined to allow the webserver to communicate with the database server.

An example image from the AWS documentation is given below:

Option B is incorrect because it is not necessary to have the two instances of the same type or the same key-pair.

Option C is incorrect because configuring NAT instance or NAT gateway will not enable the two servers to communicate with each other.

NAT instance/NAT gateway is used to enable the communication between instances in the private subnets and the Internet.

Option D is CORRECT because the two servers are in two separate subnets.

In order for them to communicate with each other, you need to configure the NACLas shown below:

For more information on VPC and Subnets, please visit the below URL-

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

In this scenario, you have two EC2 instances in the same AZ but in different subnets. One instance is running a database, and the other instance an application that will interface with the database. To enable communication between these two instances, you need to configure the network settings properly.

A. Security groups are set to allow the application host to talk to the database on the right port/protocol. Security groups act as virtual firewalls for your instances. You can configure security groups to allow or deny inbound and outbound traffic based on protocols, ports, and IP addresses. In this scenario, you need to ensure that the security group associated with the database instance allows inbound traffic from the security group associated with the application instance on the port and protocol used by the database.

B. Both instances are the same instance class and using the same key-pair. The instance class determines the computing resources allocated to an instance, such as CPU, memory, and network performance. In this scenario, the instance class may not matter as long as the instances meet the minimum requirements for running the database and application. Using the same key-pair may not be necessary unless you need to establish a secure SSH connection between the instances.

C. The default route is set to a NAT instance or Internet Gateway (IGW) for them to communicate. The default route determines where the network traffic should be directed if there is no explicit route defined for a particular destination. In this scenario, you need to ensure that the default route in the route table associated with both subnets points to a NAT instance or IGW, depending on whether the instances need to communicate with the internet or not.

D. A network ACL that allows communication between the two subnets. Network ACLs act as a firewall for your VPC and can be used to control inbound and outbound traffic at the subnet level. In this scenario, you need to ensure that the network ACL associated with the subnets allows inbound traffic from the other subnet on the port and protocol used by the database.

In conclusion, A and C are the most relevant answers to enable communication between the two instances, but B and D may also be necessary depending on your specific requirements.