Question 1,156 of 1,546
Networking and Content DeliveryhardMultiple SelectObjective-mapped

Quick Answer

The correct answer is to configure the application tier security group with an inbound rule that references the web tier security group as its source. This works because security groups are stateful and allow you to use logical references to other security groups instead of static IP addresses, meaning any instance attached to the web tier’s security group can communicate with the app tier, even if its IP changes due to scaling or replacement. On the AWS Certified SysOps Administrator Associate SOA-C02 exam, this concept tests your understanding of security group chaining for multi-tier architectures, and a common trap is choosing a CIDR block rule instead—remember that security group references are more dynamic and secure for auto-scaling environments. To restrict app tier traffic to web tier only using security groups, always think “group-to-group, not IP-to-group.” A handy memory tip: “SG in, SG out—no IPs to shout about.”

SOA-C02 Networking and Content Delivery Practice Question

This SOA-C02 practice question tests your understanding of networking and content delivery. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company is designing a multi-tier application in a VPC. The web tier must be in public subnets and the application tier in private subnets. The application tier needs to receive traffic only from the web tier. Which TWO configurations are required?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure the security group for the application tier to allow inbound traffic from the web tier's security group.

Option A is correct because security groups support stateful, rule-based traffic control using logical references to other security groups. By specifying the web tier's security group as the source in the application tier's inbound rule, traffic is allowed only from instances associated with that web tier security group, regardless of IP address changes. This provides a more secure and manageable configuration than using CIDR blocks, as it automatically adapts to scaling or instance replacements.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Configure the security group for the application tier to allow inbound traffic from the web tier's security group.

    Why this is correct

    Security group referencing allows traffic from specific sources.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Ensure the web tier instances have a route to an Internet Gateway for user traffic.

    Why this is correct

    Web tier must be reachable from internet.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use a network ACL on the private subnet to deny all inbound traffic except from the public subnet CIDR.

    Why it's wrong here

    NACLs are stateless and would block return traffic; security group is better.

  • Add a route to the Internet Gateway in the private subnet's route table.

    Why it's wrong here

    Private subnet should not have direct internet access.

  • Assign public IP addresses to the application tier instances for outbound access.

    Why it's wrong here

    Public IPs are not needed and pose security risk.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates often confuse security groups (stateful, instance-level) with network ACLs (stateless, subnet-level) and incorrectly assume that a network ACL rule denying all inbound traffic except from the public subnet CIDR is sufficient, overlooking the need for outbound rules and the dynamic, logical grouping benefits of security groups.

Detailed technical explanation

How to think about this question

Security groups operate at the instance level (ENI) and are stateful, meaning that if you allow inbound traffic, the outbound return traffic is automatically permitted regardless of outbound rules. This contrasts with network ACLs, which are stateless and require explicit rules for both directions. In a multi-tier architecture, referencing the web tier's security group as a source in the application tier's security group ensures that only traffic originating from instances in the web tier (identified by their ENI) is allowed, providing a logical boundary that scales with auto-scaling groups.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A media company stores terabytes of video archives that are accessed once a year for audit purposes. Moving these objects to a cold storage tier (Azure Archive, S3 Glacier, or Google Nearline) costs a fraction of hot storage. Questions like this test whether you understand storage tiers, access frequency tradeoffs, and retrieval latency requirements.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SOA-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SOA-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SOA-C02 question test?

Networking and Content Delivery — This question tests Networking and Content Delivery — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Configure the security group for the application tier to allow inbound traffic from the web tier's security group. — Option A is correct because security groups support stateful, rule-based traffic control using logical references to other security groups. By specifying the web tier's security group as the source in the application tier's inbound rule, traffic is allowed only from instances associated with that web tier security group, regardless of IP address changes. This provides a more secure and manageable configuration than using CIDR blocks, as it automatically adapts to scaling or instance replacements.

What should I do if I get this SOA-C02 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SOA-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SOA-C02 exam.