A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16.
The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a
DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp)
and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the private subnet database
security group (DBSecGrp)?
A.
Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp)
B.
Allow Inbound on port 3306 from source 20.0.0.0/16
C.
Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp)
D.
Allow Outbound on port 80 for Destination NAT Instance IP
Explanation:
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public privatesubnet to host the web server and DB server respectively, the user should configure that the instances in the private
subnet can receive inbound traffic from the public subnet on the DB port. Thus, configure port 3306 in Inbound with the
source as the Web Server Security Group (WebSecGrp). The user should configure ports 80 and 443 for Destination
0.0.0.0/0 as the route table directs traffic to the NAT instance from the private subnet.
A
0
0
B also ok, but A is better to give least previledge
0
0
A
0
0
I don’t get this question. Subnets within a VPC can communicate by default right.? then Why do we need this.?
4
0