Your company is deploying a web application on AWS. The application requires a web server in a public subnet to be accessible from the internet and a database server that should only be accessible from the web server. Which of the following strategies provides appropriate network segmentation for the database server?
Implement a network ACL for the VPC that allows traffic from the web server to the database on the required port and denies all other inbound traffic.
Place the database server in a public subnet and restrict access by only allowing traffic on the database port from the web server's Elastic IP address.
Place the database server in a private subnet with a security group that only allows traffic from the web server's security group.
Deploy the database server in the same public subnet as the web server to ensure connectivity.