Answers: B and E.
Option A is incorrect.
The entry point to the Application is the ELB.
It's best to have only the ELB within the Public Subnet and have the Application & Database in the Private subnet.
This way, a user can access the application through the ELB to provide High Availability & failover.
Option B is CORRECT.
This is the best possible configuration that can be defined for maximum Security, High Availability & Failover.
Option C is incorrect.
This configuration will be least Secure since users will be able to access all the Application, Database & ELB within the Public Subnet.
Also, single points of failure may occur due to a lack of proper services structuring within the respective layers.
Option D is incorrect since the Application should be placed within the Private Subnet that should not route the Internet Gateway.
Instead, it should have a route to the NAT gateway for accessing the Internet in an Egress manner.
Option E is CORRECT.
A NAT gateway allows resources hosted within the Private Subnet to access the Internet for operations like OS updates or DB patch updates.
Since the ELB is the only resource within a Public Subnet, it should ideally contain a NAT Gateway that will allow the Application or Database to access the Internet.
Diagram:
The figure below shows a typical configuration of an ELB, EC2 instance, RDS, NAT Gateway, Bastion host & route table.
The NAT Gateway & Bastion Host is contained within the Public Subnet along with the ELB, while the EC2 instance & RDS is contained within a Private Subnet.
References:
https://youtu.be/tD9vDv0uyI8 https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
The best practices for hosting an application and database in a Virtual Private Cloud (VPC) infrastructure environment are as follows:
Host the Application in a Public Subnet, Database in a Private Subnet with an ELB frontending the Application in a Public Subnet This approach separates the application and database tiers by placing them in different subnets. The application tier is placed in a public subnet to allow access to the internet for communication with users, while the database tier is placed in a private subnet that is not accessible from the internet. An Elastic Load Balancer (ELB) is placed in the public subnet to front-end the application, and it distributes traffic across multiple instances to ensure high availability and scalability. This configuration provides a higher level of security for the database, as it is not directly accessible from the internet.
Subnet configured for the Application should have a route to the Internet Gateway In this approach, the application and database tiers are placed in the same subnet, but the subnet is configured to have a route to the internet gateway. This allows the application to communicate with users over the internet, but it also exposes the database to potential security risks.
Option A is the recommended approach as it follows the best practice of separating the application and database tiers in different subnets for improved security, while also using an ELB for scalability and high availability. Option B exposes the database to potential security risks, and options C and D do not follow best practices for separating the application and database tiers.
Option E is not directly related to hosting the application and database, but rather relates to configuring the ELB subnet to allow outgoing traffic to the internet via a NAT Gateway. This is not a required step for hosting an application and database in a VPC, but it can be used to provide access to external resources, such as software updates or external APIs.