- [Seph] Welcome to the question walkthrough. The stem for this item is: A solutions architect needs to design a secure environment for AWS resources that are being deployed to Amazon EC2 instances in a VPC. The solution should support a three-tier architecture consisting of web servers, application servers, and a database cluster. The VPC needs to allow resources in the web tier to be accessible from the internet, only with the HTTPS protocol. Which combination of actions would meet these requirements? The ask here is about which combination of actions would meet the requirements, and it wants you to pick two of the responses. What are the requirements? Well, the environment needs to be secure, a three-tiered architecture needs to be supported with the use of web and application servers, and a database cluster, and the web tier needs to be accessible from the internet, but only with HTTPS. So, what are the options? There's A, Attach Amazon API Gateway to the VPC, and create private subnets for the web, application, and database tiers. B, Attach an internet gateway to the VPC. Create public subnets for the web tier, and create private subnets for the application and database tiers. C, Attach a virtual private gateway to the VPC. Create public subnets for the web and application tiers, and create private subnets for the database tier. D, Create a web server security group that allows all traffic from the internet. Create an application security group that allows requests only from the Amazon API Gateway on the application port, and create a database cluster security group that allows TCP connections from the application security group on the database port only. And E, Create a web server security group that allows HTTPS requests from the internet. Create an application server security group that allows requests from the web security group only, and then create a database cluster security group that allows TCP connections from the application security group on the database port only. Remember that you need to find two responses to make the combination of actions that meet all of the stated requirements. I'll give you some time to figure that out. Go ahead. If you want more time, now is your chance to pause. I'm resuming in three, two, and here goes one. The keys for this are responses B and E. Response B enables the web tier to be publicly accessible, while keeping the application and database tiers private. And response E specifies the type and origin of traffic that can access each of these tiers. The web service can accept the required HTTPS requests. The application servers only accept requests from the web servers, and the database tier only allows traffic from the application servers. But I don't want you to just take my word for it, allow me to take you through the other options. For response A, this solution does not meet any of the requirements. API Gateway is for the creation, managing, and securing of APIs, and there is no option to provide the accessibility to the web tier. Response C proposes the use of a VGW, which is utilized specifically for VPN connections. And while this does provide a method for the web tier to be accessible from the internet, it does not secure the application tier. And response D seems very similar to E, at first glance, but looking deeper into it shows the response is another distractor. The suggested security group is more open than the requirement's request. The application security group is attempting to utilize API Gateway again, and, as I stated earlier, this service is not a solution for the requirements. So, as you can see, the best combination, and the only combination that provides a viable solution, are responses B and E. Until next time.