Logo
AWS Certified Solutions Architect - Associate / Question #1281 of 1019

Question #1281

A company uses Amazon RDS for its multi-tier web application. A solutions architect creates a DB VPC for the RDS instance and an App VPC for the application’s Amazon EC2 instances. Both VPCs are in the us-west-2 Region. The solutions architect must implement a solution to provide the EC2 instances with access to the RDS instance. Which solution will meet these requirements MOST cost-effectively?

A

Create a peering connection between the VPCs. Add a route table entry for the peering connection in both VPCs. Configure an inbound rule for the RDS instance\u2019s security group to allow inbound connections from the application\u2019s security group.
B

Create a Transit VPC. Update the VPC route tables in the DB VPC and the App VPC to route traffic through the Transit VPC. Configure an inbound rule for the RDS instance\u2019s security group to allow inbound connections from the application\u2019s security group.
C

Create a peering connection between the VPCs. Add a route table entry for the peering connection in both VPCs. Configure an inbound rule for the peering connection\u2019s security group to allow inbound connections from the application\u2019s security group.
D

Create a Transit VPC. Update the VPC route tables in the DB VPC and the App VPC to route traffic through the Transit VPC. Configure an inbound rule for the Transit VPC\u2019s security group to allow inbound connections from the application\u2019s security group.

Explanation

Option A is correct because:
1. VPC Peering: Establishes a direct, private connection between the DB VPC and App VPC in the same region, avoiding data transfer costs via the public internet or third-party appliances.
2. Route Table Configuration: Ensures traffic between the VPCs is routed through the peering connection.
3. Security Group Rules: Allowing inbound connections from the application's security group to the RDS instance ensures secure, dynamic access without hardcoding IP addresses.

Other options are incorrect because:
- B & D (Transit VPC): Introduce unnecessary complexity and cost (e.g., VPN appliances, additional VPC management) for a simple two-VPC setup.
- C: Incorrectly references a 'peering connection’s security group,' which does not exist. Security groups are applied to resources (e.g., EC2, RDS), not VPC peering connections.

Key Points:
- Use VPC peering for cost-effective, same-region VPC connectivity.
- Security groups should reference each other (not IPs) for dynamic access control.
- Avoid Transit VPC unless connecting multiple VPCs or hybrid networks.

Answer

The correct answer is: A