Question 27
Domain 3: Infrastructure, Network, and Workload SecurityWhich cloud network design BEST limits east-west traffic between web, application, and database tiers?
Correct answer: A
Explanation
Separating the web, application, and database tiers into different subnets or segments creates network boundaries that reduce lateral movement. Tightly scoped security groups or NSGs then enforce least privilege by allowing only the specific east-west flows each tier needs, which is the standard way to limit internal traffic between tiers.
Why each option is right or wrong
A. Use separate subnets or segments for each tier with tightly scoped security groups or NSGs between them
AWS VPC security groups and Azure Network Security Groups (NSGs) are stateful, layer-4 controls that can be applied at the subnet or NIC level to permit only explicitly allowed traffic; by placing the web, application, and database tiers into distinct subnets/segments, you create separate broadcast domains and routing boundaries, then restrict inter-tier flows to only the required ports and sources. In practice, that means the web tier can be allowed to reach the app tier on only the application port, and the app tier to the database tier on only the database port, while all other east-west paths remain denied by default under least-privilege policy.
B. Place every workload in one flat subnet to simplify routing
C. Assign public IP addresses to all workloads so they can reach each other directly
D. Use one shared administrative account for all tiers to reduce management overhead