AWS Certified Advanced Networking - Specialty Exam: Best Solution for Hosting a Database Server

The Best Solution for Hosting a Database Server

Prev Question Next Question

Question

There is a requirement to host a database server.

This server should not be able to connect to the internet except in the case of downloading the required database patches.

Which of the following solutions would be the best to satisfy all the above requirements? Choose the correct answer from the options below.

Answers

A. Set up the database in a private subnet with a security group which only allows outbound traffic.

B. Set up the database in a public subnet with a security group which only allows inbound traffic.

C. Set up the database in a local data center and use a private gateway to connect the application to the database.

D. Set up the database in a private subnet which connects to the Internet via a NAT instance.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - D.

This sort of setup as per the aws documentation coincides with Scenario2 of setting up a VPC.For more information on the VPC Scenario for public and private subnets please see the below link:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

Scenario 2: VPC with Public and Private Subnets (NAT)

The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private
subnet. We recommend this scenario if you want to run a public-facing web application, while maintaining
back-end servers that aren't publicly accessible. A common example is a multi-tier website, with the web
servers in a public subnet and the database servers in a private subnet. You can set up security and routing
so that the web servers can communicate with the database servers.

The best solution to satisfy the requirement of hosting a database server that should not connect to the internet, except in the case of downloading database patches, would be to set up the database in a private subnet with a security group that only allows outbound traffic. Therefore, the correct answer is A.

Explanation:

A subnet is a logical partition of an IP network into multiple smaller network segments. A private subnet is a subnet that does not have direct internet access. Therefore, any instance launched in a private subnet cannot be accessed from the internet unless explicitly permitted through a gateway, such as a NAT gateway.

A security group acts as a virtual firewall for an instance or resource. It regulates both inbound and outbound traffic for the instance or resource. In this case, the security group should be configured to allow outbound traffic only to the IP addresses required for downloading the database patches.

Option B is incorrect because hosting the database server in a public subnet would allow it to be accessed from the internet, which is not a requirement. Additionally, inbound traffic to the database server would need to be blocked using a security group, which would still expose the server to attacks from the internet.

Option C is incorrect because it requires setting up a local data center, which may not be feasible or cost-effective. Additionally, using a private gateway to connect the application to the database would still require the database server to have internet access for downloading patches.

Option D is incorrect because it suggests using a NAT instance, which would still provide the database server with access to the internet. This would not meet the requirement of restricting internet access except for downloading patches.

Prev Question Next Question