Architecture for High Availability and Security

Answer - B.

You need to have public subnets for the Elastic Load balancer to ensure that traffic can flow via the Internet.

The Web servers can be in the Private subnet since the communication between the instances and the ELB happens via the private IP and provides better security for the Web Servers.

The database servers should be in the private subnet since it does not need to communicate with the Internet.

Option A is invalid since the ELB is in the Public subnet, there is no need to place the Web Server in the Public subnet because ELB and Web Server communicate via Private IP.

Option C is invalid since the database servers don't need to be in the public subnet.

Option D is invalid since the database servers don't need to be in the public subnet.

For more information on Elastic Load balancing, please refer to the below URL-

https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/what-is-load-balancing.html

Note: There is no requirement for ec2 instances to be in public subnet as route53 will route the request to elb whose endpoint is exposed as lb(Load Balancer) is in public subnet.

The communication between elb and ec2 instances happens via private IP.

So it's better for security purposes.

URL: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-internet-facing-load-balancers.html.

create an Internet-Facing Load Balancer.

When you create a load balancer in a VPC, you can make it an internal load balancer or an Internet-facing load balancer.

You create an Internet-facing load balancer in a public subnet.

Load balancers in EC2-Classic are always Internet-facing load balancers.

When you create your load balancer, you configure listeners, configure health checks, and register back-end instances.

You configure a listener by specifying a protocol and a port for front-end (client to load balancer) connections, and a protocol and a port for back-end (load balancer to back-end instances) connections.

You can configure multiple listeners for your load balancer.

The correct architecture for the network, keeping high availability and security in mind, is Option B: B. 2 public subnets for the Elastic Load balancer and NAT Gateway, 2 private subnets for the Web server EC2 Instances, 2 private subnets for the database server.

Here's the detailed explanation:

1. Elastic Load Balancer: The Elastic Load Balancer is the entry point for incoming traffic from the internet. It distributes incoming traffic across multiple EC2 instances. The Elastic Load Balancer should be placed in a public subnet to allow access from the internet.

2. EC2 Instances hosting web application: The EC2 instances hosting the web application should be placed in private subnets. Private subnets have no direct access to the internet, which adds an extra layer of security to your application. Also, the EC2 instances should be spread across multiple Availability Zones to ensure high availability.

3. Backend Database Server: The backend database server should also be placed in a private subnet. Private subnets offer an additional layer of security by not allowing direct access to the database server from the internet. Additionally, the database server should also be spread across multiple Availability Zones to ensure high availability.

4. NAT Gateway: The NAT Gateway is used to allow EC2 instances in the private subnets to access resources on the internet. The NAT Gateway should be placed in a public subnet to allow it to access the internet.

So, the correct architecture for the network, keeping high availability and security in mind, is Option B: 2 public subnets for the Elastic Load balancer and NAT Gateway, 2 private subnets for the Web server EC2 Instances, 2 private subnets for the database server.