VPC & Security Groups — SAA-C03 Practice Question
A representative AWS Solutions Architect Associate (SAA-C03) exam question on VPC & Security Groups. Work through it below, then read why each option is right or wrong.
Short answer
The correct answer is D. Replace the network ACL with a new one that allows inbound traffic from the application tier subnets' CIDR blocks, ensuring allow rules have lower rule numbers than deny rules.
Network ACLs evaluate rules in order by rule number (lowest first). Creating a new NACL with explicit allow rules for the application tier CIDR blocks at low rule numbers, followed by a deny-all at a higher rule number, ensures only the application tier can reach the database. Replacing the NACL (rather than modifying in-place) avoids a window where partial rule changes could disrupt traffic.
The Question
A company runs a three-tier web application in a VPC. The web tier is in public subnets, the application tier is in private subnets, and the database tier is in isolated private subnets. A security audit reveals that the database tier's network ACLs allow all inbound traffic from 0.0.0.0/0. The solutions architect must restrict database access to only the application tier while ensuring existing connections are not disrupted during the change. Which approach should the solutions architect take?
Why D is correct
Network ACLs evaluate rules in order by rule number (lowest first). Creating a new NACL with explicit allow rules for the application tier CIDR blocks at low rule numbers, followed by a deny-all at a higher rule number, ensures only the application tier can reach the database. Replacing the NACL (rather than modifying in-place) avoids a window where partial rule changes could disrupt traffic.
Why the other options are wrong
Modifying the existing NACL in place can cause disruption. When you change rules on a live NACL, there is a brief period where the rule set is inconsistent. The approach described also does not mention the required outbound rules (NACLs are stateless).
Removing NACLs entirely removes a layer of defense-in-depth. While security groups alone can restrict access, best practice for sensitive database tiers is to use both NACLs and security groups. This also does not meet the requirement of restricting at the network ACL level.
Network ACLs do not support referencing security group IDs. NACLs only work with CIDR blocks, IP addresses, and port ranges. This is a common exam trap — security groups can reference other security groups, but NACLs cannot.
Key idea: VPC & Security Groups
Why D is correct: Network ACLs evaluate rules in order by rule number (lowest first). Creating a new NACL with explicit allow rules for the application tier CIDR blocks at low rule numbers, followed by a deny-all at a higher rule number, ensures only the application tier can reach the database. Replacing the NACL (rather than modifying in-place) avoids a window where partial rule changes could disrupt traffic. Why A is wrong: Modifying the existing NACL in place can cause disruption. When you change rules on a live NACL, there is a brief period where the rule set is inconsistent. The approach described also does not mention the required outbound rules (NACLs are stateless). Why B is wrong: Removing NACLs entirely removes a layer of defense-in-depth. While security groups alone can restrict access, best practice for sensitive database tiers is to use both NACLs and security groups. This also does not meet the requirement of restricting at the network ACL level. Why C is wrong: Network ACLs do not support referencing security group IDs. NACLs only work with CIDR blocks, IP addresses, and port ranges. This is a common exam trap — security groups can reference other security groups, but NACLs cannot. On the SAA-C03 exam, questions in the "Design Secure Architectures" domain test whether you can map a scenario's constraints to the right choice. Read the requirement carefully, eliminate options that violate any single constraint, and pick the one that satisfies all of them with the least operational overhead.
Ready to see how you'd score?
Take the free practice quiz and find out which AWS Solutions Architect Associate domains you need to focus on. No signup required.
Practice 5 similar questions
Same cert, same or adjacent domain. Use these after reviewing the explanation.