You are designing an online shopping application for your company. This application will be running in a VPC on EC2 instances behind an Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application tier must read and write data to a customer managed database cluster. There should be no access to the database from the Internet. But the cluster must be able to obtain software patches from the Internet. Which VPC design meets these requirements completely?

Answer options:

A.Public subnets for both the application tier and the database cluster.
B.Public subnets for the application tier and private subnets for the database cluster and NAT Instance.
C.Public subnets for the application tier and NAT Gateway and private subnets for the database cluster.
D.Public subnets for the application tier and private subnets for the database cluster and NAT Gateway.

Answer – C
The following diagram from the AWS Documentation shows the right setup for this.
Option A is incorrect because the database tier should not be in the public subnet.
Options B and D are incorrect because the NAT gateway needs to be in the public subnet.
For more information on this setup, please refer to the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html