A cloud architect is designing a multi-tier application in a public cloud that must comply with PCI DSS. The web tier must be accessible from the internet, but the application tier should not have any public IP addresses. Which architecture meets these requirements?
This provides internet access to the web tier while keeping the app tier isolated from direct internet.
Why this answer
Option A is correct because placing the web tier in a public subnet with a load balancer and the app tier in a private subnet with no public IPs fulfills the requirement. Option B is wrong because a direct VPC peering does not restrict public access. Option C is wrong because a VPN adds unnecessary complexity.
Option D is wrong because the app tier should not have public IPs.