A three-tier web application is running on AWS VPC in two availability zones, as shown below. Here are the CIDR ranges for each subnet and the corresponding servers.
 Layer EU-East-1a EU-east-1b
Web server 10.16.0.0/25 10.16.0.128/25
Application Server 10.16.1.0/25 10.16.1.128/25
DB Server 10.16.2.0/25 10.16.2.128/25
The DB server runs MySQL, which would run on its default port, should only allow access to the Application Server tier and access from the rest of the tiers should be denied.
Which inbound rule of the Security Group on the DB server needs to be attached to meets this requirement?

Answer options:

A.Type : MySQL |
Protocol: TCP |
Port: 3306 |
Source: 10.16.0.0/24
B.Type: MySQL |
Protocol: TCP |
Port: 3306 |
Source: 10.16.2.0/24
C.Type : MySQL |
 Protocol: TCP |
Port : 3306 |
Source: 10.16.1.0/24
D.Type : MySQL |
 Protocol: TCP |
 Port: 3306 |
 Source: 10.16.3.128/25

Answer: C
The requirement here is to allow access from Application Tier to DB Tier. The other point to note here is that MySQL would run on its default port. The default port for MySQL is ‘3306.’
Two /25 networks equal a /24 network. Two /27 networks equal a /26 network. Two /26 networks equal a /25 network. And so on, and so on. The notion of combining two smaller networks into a larger one is another benefit of classless networks named supernetting. To create a supernet, the smaller networks must be contiguous. For example, 192.0.2.240/29 and 192.0.2.248/29 can form a supernet 192.0.2.240/28, but 192.0.2.240/29 and 192.0.2.8/29 could not as it must be 192.0.2.248/29 to form a supernet.
Application Server tier IPs across two subnets are - 10.16.1.0/25 and 10.16.1.128/25 that is from 10.16.1.0 to 10.16.1.255 which is the same as 10.16.1.0/24.
So Option C is the best answer.
Options A, B, and D are incorrect because the source should be 10.16.1.0/24.
Or alternatively, two inbound rules from Port 3306 but different sources, i.e., 10.16.1.0/25 and 10.16.1.128/25.