A startup firm is planning to migrate all its in-house servers to VPC. These are three-tier servers wherein application servers are internet-facing fetching data from backend database servers. For deploying servers in VPC, they have created public & private subnets in VPC. ELB will be front-ending these servers to forward all incoming user requests towards application servers. Database servers will be launched in private subnets. Which of the following is recommended security best practices for ELB/ Server deployment in the AWS cloud?

Answer options:

A.Place Internet-facing Load Balancers in dedicated private subnets with NACL configured at the subnet level. Configure Security Group at each instance level for all servers.
B.Place Internet-facing Load Balancers in dedicated private subnets with security-group at the subnet level. Configure NACL at each instance level for all servers.
C.Place Internet-facing Load Balancers in dedicated public subnets with security-group at the subnet level. Configure NACL at each instance level for all servers.
D.Place Internet-facing Load Balancers in dedicated public subnets with NACL configured at the subnet level. Configure Security Group at each instance level for all servers.

Correct Answer – D
All internet-facing application servers & ELB should be placed in public subnets with NACL configure at a subnet level. For servers, additional security can be configured by applying a security group at the instance level.
Option A is incorrect as Internet-facing load balancers should be in Public subnets & not in Private subnets.
Option B & C are incorrect as security groups should be at the Instance level & not at the subnet level. NACL should be at the subnet level & not at the instance level.
For more information on security within AWS VPC, refer to the following URL
https://docs.aws.amazon.com/vpc/latest/userguide/security.html