An architect is designing a multi-tier application and wants to ensure that database instances in the data tier are not directly accessible from the internet. What is the best approach?
-
A
Place database instances in a public subnet with strict Security Groups
-
B
Place database instances in a private subnet with no route to an Internet Gateway
-
C
Use NACLs to block port 3306 on the Internet Gateway
-
D
Assign database instances Elastic IP addresses and restrict access via IAM