A company has a VPC with a CIDR of 172.16.0.0/16. They have a subnet 172.16.1.0/24 for web servers and another subnet 172.16.2.0/24 for database servers. The web servers need to access the database servers on port 3306. Which configuration is required?
Allows only MySQL traffic from web to DB.
Why this answer
Option C is correct because security groups are stateful and control traffic at the instance level. The web server security group needs an outbound rule allowing traffic to the database security group on port 3306, and the database security group needs an inbound rule allowing traffic from the web security group on port 3306. This ensures that only the web servers can initiate connections to the database servers on the required port.
Exam trap
The trap here is that candidates often confuse the stateless nature of network ACLs with the stateful behavior of security groups, or they incorrectly assume that inbound rules on the source security group are needed instead of outbound rules on the source and inbound rules on the destination.
How to eliminate wrong answers
Option A is wrong because network ACLs are stateless and apply at the subnet level, not the instance level, and they require both inbound and outbound rules to allow traffic; additionally, the question asks for a configuration that works with security groups, not network ACLs. Option B is wrong because it incorrectly sets the web security group to allow inbound traffic on port 3306 from 0.0.0.0/0, which would allow any source to connect to the web servers on the database port, and the outbound rule on the database security group is unnecessary because security groups are stateful and return traffic is automatically allowed. Option D is wrong because it allows all ports instead of restricting to port 3306, violating the principle of least privilege and unnecessarily exposing the database servers to all traffic from the web servers.