Your company is deploying a web application on AWS. The application requires a web server in a public subnet to be accessible from the internet and a database server that should only be accessible from the web server. Which of the following strategies provides appropriate network segmentation for the database server?
Place the database server in a public subnet and restrict access by only allowing traffic on the database port from the web server's Elastic IP address.
Deploy the database server in the same public subnet as the web server to ensure connectivity.
Implement a network ACL for the VPC that allows traffic from the web server to the database on the required port and denies all other inbound traffic.
Place the database server in a private subnet with a security group that only allows traffic from the web server's security group.