Home / Amazon / SAA-C01 / Question 345

A Solutions Architect is creating a multi-tiered architecture for an application that includes a public-facing web tier. Security requirements state that the AmazonEC2 instances running in the application tier must not be accessible directly from the internet.What should be done to accomplish this?

• A. Create a multi-VPC peering mesh with network access rules limiting communications to specific ports. Implement an internet gateway on each VPC for external connectivity.

• B. Place all instances in a single Amazon VPC with AWS WAF as the web front-end communication conduit. Configure a NAT gateway for external communications.

• C. Use VPC peering to peer with on-premises hardware. Direct enterprise traffic through the VPC peer connection to the instances hosted in the private VPC.

• D. Deploy the web and application instances in a private subnet. Provision an Application Load Balancer in the public subnet. Install an internet gateway and use security groups to control communications between the layers.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html