A company wants to protect a database server so that it cannot be accessed directly from the internet. How should the database server be placed within a VPC?
A question asking which VPC placement isolates a DB from the internet.
Place it in a public subnet and configure a route to an internet gateway.
A public subnet has a route to an internet gateway and is reachable directly from outside.
This is the opposite of the requirement to protect the database from direct access, so it is incorrect.
Place it directly outside the VPC (on the internet).
Placing it outside the VPC is not appropriate as an AWS network design, and it provides no protection.
It does not meet the requirement to protect from the internet, so it is incorrect.
Place it in a subnet where you can log in as the root user.
The root user is the administrator of the AWS account, a concept unrelated to subnet placement.
It is not a method of network isolation, so it is incorrect.
Place it in a private subnet with no direct route to the internet.
This is correct. A private subnet has no direct route to an internet gateway, so it is not accessed directly from outside. Place resources that do not need to be exposed, such as databases, here, and perform outbound communication only when needed through a NAT gateway to protect them safely.
Place resources that do not need to be exposed (such as DBs) in a private subnet (no direct route to an IGW) to isolate them. If outbound communication is needed, go through a NAT gateway. Web servers that must be public go in a public subnet.