Securing Application Networking in AWS

Designing the Networking for Your Web and Database Tiers

Prev Question Next Question

Question

Your company is planning to deploy an application that will consist of a web and database tier.

The database tier should not be accessible from the Internet.

How would you design the networking part of the application? Choose 2 answers from the options below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A and D.

The below diagram from the AWS Documentation shows the design of a web and database tier.

Option B is incorrect since users will not access the web application if it is placed in a private subnet.

Option C is incorrect since the question mentions that the database should not be accessible from the internet.

For more information on private and public subnets and the VPC, please visit the below URL-

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
198.51.
198.51]
198.51.

\t

simply GS

100.3 IP) 100.07 NAT gateway
Web servers 198 51.100.4 (Elastic IP)

Public subnet

Custom route table

Destination Target
10.0.0.0/16 local
0.00.00 igw-id

a

Main route table

Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-gateway-id

10.0.0.0/16

Region

The best approach to design the networking part of the application that consists of a web and database tier, where the database tier should not be accessible from the internet, is to use private and public subnets in a Virtual Private Cloud (VPC) on Amazon Web Services (AWS).

A subnet is a range of IP addresses in your VPC where you can launch Amazon Elastic Compute Cloud (Amazon EC2) instances, Amazon Relational Database Service (Amazon RDS) instances, or AWS Lambda functions.

A public subnet is a subnet that has a direct route to the internet gateway. Instances launched in a public subnet can have public IP addresses assigned to them, which makes them directly accessible from the internet. Therefore, it is not suitable to launch the database tier in a public subnet because it would expose it to the internet.

On the other hand, a private subnet is a subnet that does not have a direct route to the internet gateway. Instances launched in a private subnet cannot have public IP addresses assigned to them, which makes them not directly accessible from the internet. Therefore, launching the database tier in a private subnet is the best approach because it is not directly exposed to the internet.

Hence, the two answers that should be selected are B (A private subnet for the web tier) and D (A private subnet for the database tier).

Here is a high-level diagram of the recommended VPC design:

lua
VPC +---------------+ | Internet | +---------------+ | | +------------+ | NAT Gateways | +------------+ | | +---------------------+ | Private Subnet 1 | | (Web Tier) | | | | +----------------+ | | | EC2 instances | | | +----------------+ | +---------------------+ | | +-----------------------+ | Private Subnet 2 | | (Database Tier) | | | | +------------------+ | | | RDS instances | | | +------------------+ | +-----------------------+

In this design, the web tier is launched in a private subnet, and the database tier is also launched in a separate private subnet. A Network Address Translation (NAT) Gateway is used to provide internet access to the instances in the private subnet for software updates, patches, and external API calls, etc.

Note that in this design, the instances in the private subnet do not have a public IP address, and they can communicate with each other using their private IP addresses. The security group rules can be configured to allow communication between the web and database tiers as required, while the network access control lists (ACLs) can be used to control inbound and outbound traffic at the subnet level.