Logo
AWS Certified Solutions Architect - Associate / Question #1265 of 1019

Question #1265

A company hosts a web application on EC2 instances in private subnets across multiple Availability Zones. An internet-facing Application Load Balancer (ALB) directs traffic to these instances, but users cannot access the application. The solutions architect discovers the ALB is associated with private subnets. What should be done to resolve this issue?

A

Replace the ALB with a Network Load Balancer. Create a NAT gateway in a public subnet to allow internet traffic to the EC2 instances.
B

Move the EC2 instances to public subnets. Update the ALB's security group to allow inbound traffic from the internet.
C

Update the route tables for the private subnets to include a route to an internet gateway. Modify the EC2 instances' security groups to allow inbound HTTP traffic.
D

Create public subnets in each Availability Zone. Associate the ALB with the public subnets. Ensure the public subnets' route tables direct internet traffic through an internet gateway.

Explanation

The issue arises because an internet-facing Application Load Balancer (ALB) must be placed in public subnets to be accessible from the internet. The ALB was incorrectly associated with private subnets, blocking user access.

- Option D resolves this by creating public subnets in each Availability Zone, associating the ALB with them, and ensuring the public subnets' route tables direct internet traffic through an internet gateway. This allows the ALB to receive traffic from the internet and forward it to the EC2 instances in private subnets.

- Why other options are incorrect:
- A: Replacing the ALB with an NLB and adding a NAT gateway does not fix the ALB's placement in private subnets. NAT gateways enable outbound traffic for private instances, not inbound access.
- B: Moving EC2 instances to public subnets exposes them directly to the internet, violating security best practices. The ALB's placement remains the root issue.
- C: Private subnets should not have a route to an internet gateway. This would expose EC2 instances directly to the internet, bypassing the ALB.

Key Points:
- Internet-facing ALBs require public subnets with routes to an internet gateway.
- EC2 instances should remain in private subnets for security.
- Route tables for public subnets must include a route to an internet gateway (0.0.0.0/0 -> igw-*).

Answer

The correct answer is: D