A VPC has four subnets: Subnet Description Subnet1 Contains a route table entry with destination: 0.0.0.0/0 and target: VPC Internet Gateway ID Subnet2 Contains a route table entry with destination 0.0.0.0/0 and target: NAT Gateway ID Subnet3 Contains an EC2 instance that serves as a bastion host Subnet4 Contains an NSG Inbound Rule with Source: 0.0.0.0/0; Protocol: TCP; and Port Range: 1433 What would be the recommended subnet for hosting an RDS database instance?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: B.
Security best practice would state that RDS Database instances should be deployed to a private subnet.
A private subnet would only have private IPs with no direct access to the public internet.
Outbound connectivity would be provided via a NAT gateway.
Option A is incorrect because Subnet1 has direct connectivity to the public internet via the Internet gateway.
Thus, it is characterized as a public subnet and would not be a recommended location for deploying databases.
Option B is CORRECT because Subnet2 is a suitable choice for deploying RDS instances as it is characterized as a private subnet.
Option C is incorrect because Bastion hosts allow direct inbound connections from the public internet.
This means that Subnet3 would not be a good choice to host databases.
Option D is incorrect because Subnet4 contains an NSG rule that allows inbound connectivity from the public internet on the database port (1433)
This makes it a poor candidate to host databases.
Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.htmlWhen hosting an RDS database instance in a VPC, it is important to choose a subnet that provides the appropriate network connectivity and security requirements.
Based on the information given, none of the subnets are specifically designed for hosting a database instance. However, we can eliminate Subnets 3 and 4 because they are not intended for hosting a database.
Subnet 3 contains an EC2 instance that serves as a bastion host, which is used for secure remote access to other instances within the VPC. Subnet 4 contains an NSG Inbound Rule with Source: 0.0.0.0/0; Protocol: TCP; and Port Range: 1433, which is intended for allowing inbound traffic to a specific port on an instance.
This leaves Subnets 1 and 2.
Subnet 1 contains a route table entry with destination: 0.0.0.0/0 and target: VPC Internet Gateway ID. This means that instances in this subnet can communicate with the internet, which is necessary for accessing external resources. However, it may not be the best choice for hosting a database instance due to security concerns.
Subnet 2 contains a route table entry with destination: 0.0.0.0/0 and target: NAT Gateway ID. This means that instances in this subnet can communicate with the internet via a NAT gateway, which can provide an additional layer of security. This subnet would be the better choice for hosting a database instance.
Therefore, the recommended subnet for hosting an RDS database instance would be Subnet 2.