Question 352 of 375 from exam CLF-C01: AWS Certified Cloud Practitioner

Answers: D and E.

The figure shown above shows that both the Database Server & the Web Server have routes to the internet gateway using the Main Route table.

Database servers are usually hosted in a non-DMZ zone which offers more protection from outside attack.

Also, since web servers are front-ending the application requests, it should not be necessary to expose the backend database directly to the internet.

Option A is incorrect.

Since the Web Server front-ends application requests, it should have a route to the Internet Gateway for accessing it from the Internet.

Option B is incorrect.

A default subnet provides both a Public Ipv4 & a Private Ipv4 address.

The Web Server will require either a Public IP or Elastic IP to be accessible from the Internet.

Option C is incorrect.

A NAT gateway provides an Egress only access to the internet by allowing the DataBase server to connect to the internet to update software patches.

This is a good practice for disallowing direct Ingress access to the DataBase Server from the internet.

The diagram can be modified to reflect this change.

Option D is CORRECT.

Since the database does not require a Public IP, it is suitable to host the DB Server on a non-default subnet that does not allocate a Public IP by default.

Option E is CORRECT.

The database server should not have a route to the Internet Gateway.

Diagram:

References:

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html https://www.testpreptraining.com/tutorial/aws-cloud-practitioner/aws-cloud-security/