Answers: D and E.
The figure shown above shows that both the Database Server & the Web Server have routes to the internet gateway using the Main Route table.
Database servers are usually hosted in a non-DMZ zone which offers more protection from outside attack.
Also, since web servers are front-ending the application requests, it should not be necessary to expose the backend database directly to the internet.
Option A is incorrect.
Since the Web Server front-ends application requests, it should have a route to the Internet Gateway for accessing it from the Internet.
Option B is incorrect.
A default subnet provides both a Public Ipv4 & a Private Ipv4 address.
The Web Server will require either a Public IP or Elastic IP to be accessible from the Internet.
Option C is incorrect.
A NAT gateway provides an Egress only access to the internet by allowing the DataBase server to connect to the internet to update software patches.
This is a good practice for disallowing direct Ingress access to the DataBase Server from the internet.
The diagram can be modified to reflect this change.
Option D is CORRECT.
Since the database does not require a Public IP, it is suitable to host the DB Server on a non-default subnet that does not allocate a Public IP by default.
Option E is CORRECT.
The database server should not have a route to the Internet Gateway.
Diagram:
References:
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html https://www.testpreptraining.com/tutorial/aws-cloud-practitioner/aws-cloud-security/