AWS Certified Solutions Architect - Professional (#196)

You have been asked to set up a public website on AWS with the following criteria: You want the database and the application server running on an Amazon VPC. You want the database to be able to connect to the Internet so that it can be automatically updated to the correct patch level. You do not want to receive any incoming traffic from the Internet to the database. Which solutions would be the best to satisfy all the above requirements for your planned public website on AWS? (Choose 2 answers)

Set up both the public website and the database on a public subnet and block all incoming requests from the Internet with a Network Access Control List (NACL)
Set up both the public website and the database on a public subnet, and block all incoming requests from the Internet with a security group which only allows access from the IP of the public website.
Set up the public website on a public subnet and set up the database in a private subnet which connects to the Internet via a NAT instance.
Set up both the public website and the database on a private subnet and block all incoming requests from the Internet with a Network Access Control List (NACL). Set up a Security group between the public website and the database which only allows access via port 80.