Logo
AWS Certified Solutions Architect - Associate / Question #1407 of 1019

Question #1407

A company is deploying a two-tier application in a VPC. The frontend tier uses an Amazon EC2 Auto Scaling group in public subnets across multiple Availability Zones. The backend tier consists of an Amazon DocumentDB cluster in private subnets. The frontend tier requires access to the DocumentDB cluster to retrieve data.

The application is failing to connect to the DocumentDB cluster, though the cluster is confirmed operational. All network ACLs, security groups, and route tables are in their default configurations.

What should a solutions architect recommend to resolve the issue?

A

Add an inbound rule to the private subnet's network ACL to allow traffic from the frontend tier's EC2 instances.
B

Update the VPC route table to include a route for traffic between the frontend tier's EC2 instances and the DocumentDB cluster.
C

Deploy the frontend tier's EC2 instances and the DocumentDB cluster in separate VPCs, then establish VPC peering.
D

Configure an inbound rule in the DocumentDB cluster's security group to allow traffic from the frontend tier's security group.

Explanation

The issue arises because security groups, by default, deny all inbound traffic. While network ACLs and route tables are in their default configurations (allowing all traffic), the DocumentDB cluster's security group lacks an inbound rule permitting connections from the frontend EC2 instances.

Why D is correct: Configuring an inbound rule in the DocumentDB cluster's security group to allow traffic from the frontend tier's security group ensures that the EC2 instances can communicate with the cluster. Security groups operate at the instance level and must explicitly allow required traffic.

Why other options are incorrect:
- A: Default network ACLs already allow all inbound/outbound traffic, so no additional rules are needed.
- B: Route tables in a VPC include a local route for intra-VPC communication by default, so no update is required.
- C: Deploying in separate VPCs adds unnecessary complexity; both tiers are already in the same VPC.

Key Points:
- Security groups are stateful and deny inbound traffic by default.
- Intra-VPC communication requires security group rules permitting traffic between source and destination.
- Network ACLs and route tables are not the issue here due to their default configurations.

Answer

The correct answer is: D