A company is designing a multi-tier web application on AWS. The web tier must be accessible from the internet, but the application and database tiers must be isolated. The security team requires that all traffic between tiers be encrypted and that the application tier can only be accessed by the web tier. Which architecture should be used?
Trap 1: Place all tiers in public subnets and use security groups to…
This exposes app and database tiers to the internet, which is not isolated.
Trap 2: Place the web and app tiers in public subnets and the database in a…
The app tier in a public subnet is exposed and unnecessary.
Trap 3: Place all tiers in private subnets and use a single security group…
A single security group does not provide fine-grained isolation between tiers.
- A
Place all tiers in public subnets and use security groups to restrict traffic.
Why wrong: This exposes app and database tiers to the internet, which is not isolated.
- B
Place the web tier in a public subnet with an internet gateway, and the app and database tiers in private subnets. Use separate security groups for each tier, allowing only necessary traffic.
This ensures isolation and encryption can be applied at the application layer.
- C
Place the web and app tiers in public subnets and the database in a private subnet.
Why wrong: The app tier in a public subnet is exposed and unnecessary.
- D
Place all tiers in private subnets and use a single security group to allow traffic between them.
Why wrong: A single security group does not provide fine-grained isolation between tiers.