Recommended Security Best Practices

Correct Answer - D.

All internet-facing application servers & ELB should be placed in public subnets with NACL configure at a subnet level.

For servers, additional security can be configured by applying a security group at the instance level.

Option A is incorrect as Internet-facing load balancers should be in Public subnets & not in Private subnets.

Option B & C are incorrect as security groups should be at the Instance level & not at the subnet level.

NACL should be at the subnet level & not at the instance level.

For more information on security within AWS VPC, refer to the following URL.

https://docs.aws.amazon.com/vpc/latest/userguide/security.html

In this scenario, a startup firm plans to migrate its in-house servers to VPC. The servers are three-tier servers where the application servers are internet-facing, fetching data from backend database servers. The deployment will include public and private subnets in the VPC, with ELB front-ending the servers to forward all incoming user requests towards application servers. The database servers will be launched in private subnets. The question asks for the recommended security best practices for ELB/Server deployment in the AWS cloud.

Option A: Place Internet-facing Load Balancers in dedicated private subnets with NACL configured at the subnet level. Configure Security Group at each instance level for all servers.

Explanation: This option suggests placing the internet-facing load balancers in dedicated private subnets, which is not ideal since ELB needs to be placed in public subnets. NACL should be configured at the subnet level, but the security group should be configured at the ELB and instance level, not just at the instance level.

Option B: Place Internet-facing Load Balancers in dedicated private subnets with security-group at the subnet level. Configure NACL at each instance level for all servers.

Explanation: This option suggests placing the internet-facing load balancers in dedicated private subnets, which is not ideal. ELB should be placed in public subnets. Security group should be configured at the ELB and instance level, not just at the subnet level. NACL should be configured at the subnet level, but at the instance level for the servers.

Option C: Place Internet-facing Load Balancers in dedicated public subnets with security-group at the subnet level. Configure NACL at each instance level for all servers.

Explanation: This option suggests placing the internet-facing load balancers in dedicated public subnets, which is ideal for ELB deployment. Security group should be configured at the ELB and instance level, not just at the subnet level. NACL should be configured at the subnet level, but at the instance level for the servers.

Option D: Place Internet-facing Load Balancers in dedicated public subnets with NACL configured at the subnet level. Configure Security Group at each instance level for all servers.

Explanation: This option suggests placing the internet-facing load balancers in dedicated public subnets, which is ideal for ELB deployment. NACL should be configured at the subnet level, but at the instance level for the servers. Security group should be configured at the ELB and instance level, not just at the instance level.

Therefore, the recommended security best practice for ELB/Server deployment in the AWS cloud is Option D: Place Internet-facing Load Balancers in dedicated public subnets with NACL configured at the subnet level. Configure Security Group at each instance level for all servers.