When AWS exam questions describe a database that “cannot be accessed from the internet” and must only be reachable from the application tier, they’re testing your ability to design secure tiered architectures. The key pattern: place your load balancer in the public subnet to accept internet traffic, and keep both the application servers and database servers in private subnets with tightly controlled security groups.
Use Case: Backend Database with Strict Security Requirements
A company operates a backend Amazon RDS database that must never be publicly accessible due to strict data protection policies. The application layer, sitting behind an Application Load Balancer (ALB), needs to connect to this database over a specific port, but no other inbound access should be permitted.
The challenge
Prevent public internet access to the database.
Route traffic only through the ALB to the application servers.
Allow only the application tier to communicate with the RDS instance over its database port.
Step 1 – Place Application & Database Tiers in Private Subnets
Action: Deploy the application servers and RDS DB instances into private subnets, while keeping the ALB in a public subnet.
Why
Public subnet → internet-facing ALB only.
Private subnets → application and database servers have no public IPs and are not internet routable.
All inbound traffic passes through the ALB first, maintaining a secure boundary.
Step 2 – Lock Down Access with Security Groups
Action
ALB SG → allows inbound traffic from the internet (HTTP/HTTPS).
App Tier SG → allows inbound only from the ALB SG, forwards outbound to DB SG.
DB Tier SG → allows inbound only from the App SG, restricted to DB ports (3306 MySQL/MariaDB, 5432 PostgreSQL).
Remove all other inbound rules.
Why
Security groups act as virtual firewalls at the instance level.
This enforces least privilege: the DB only accepts traffic from application servers, and the application servers only accept traffic from the ALB.
Architecture Overview
VPC: Contains both public and private subnets.
Public Subnet: ALB resides here, handling internet-facing requests.
Private Subnet: Hosts application servers and database servers, isolated from the internet.
Security Groups: ALB → App Tier → DB Tier. Each SG references the next tier’s SG instead of using CIDR ranges.
AWS Certification Exam Insights
This “ALB in public, app & DB in private” setup is a classic Solutions Architect exam pattern.
Watch for keywords
“Database cannot be accessed from the internet” → Private subnet.
“Only accessible from the application tier” → Security group referencing another SG.
“Internet-facing requests handled first” → ALB in public subnet.
Exam Tip: The best answer almost always combines subnet placement (public vs. private) with SG-to-SG rules, not CIDR blocks.
Cheat Sheet: Secure RDS with ALB + Private Subnets
Category | Best Practice | Details / Key Points |
|---|---|---|
Subnet Configuration | App + DB in Private Subnets | No public IPs, not internet-routable, traffic routed only via ALB or internal connections. |
Public Subnet | Place ALB only | Handles internet traffic, routes requests into private subnet. |
SG Rules – ALB → App | Inbound allowed from internet (HTTP/HTTPS) | Restrict outbound to App SG only. |
SG Rules – App → DB | Inbound allowed from ALB SG only | Outbound restricted to DB SG on DB port. |
SG Rules – DB | Inbound from App SG only | Restrict to 3306/5432 or required DB port. |
Architecture Pattern | Multi-tier isolation | Public for ALB; Private for Application + DB. |
Exam keywords to map directly to answers
“Internet-facing component” → ALB in public subnet.
“Database cannot be accessed from internet” → DB in private subnet.
“Only app tier can access DB” → SG-to-SG references.
Ready to take your AWS Solutions Architect – Associate prep to the next level?
Join our Study Notes and Study Group to connect with fellow learners, access structured exam-aligned resources (study notes, flashcards, scenario-based questions, personalized study plans with email reminders, and the ability to add notes to any lesson), and participate in weekly, exam-aligned sessions using a live AWS environment to explore architecture decisions through a real-world e-commerce application.
Start your journey here: https://labs.itassist.com/aws-certified-solution-architect-associate-study-notes
📺 New to the platform? Watch the YouTube playlist to see all the features in action: https://www.youtube.com/playlist?list=PLqwTb4xwPh0e7w3iNS6I7UzAds7wNlAo7