A company has a multi-tier application running in a VPC. The web tier is in public subnets, and the application and database tiers are in private subnets. The security team wants to implement microsegmentation to ensure that the web tier can only communicate with the application tier on port 8080, and the application tier can only communicate with the database tier on port 3306. All other internal traffic must be blocked. What is the MOST scalable way to implement this?

Use Security Groups. Configure the application tier Security Group to only accept ingress on port 8080 from the web tier Security Group ID. Configure the database tier Security Group to only accept ingress on port 3306 from the application tier Security Group ID.

Use Network Access Control Lists (NACLs). Create rules to allow traffic on specific ports between the CIDR blocks of the public and private subnets.

Deploy AWS Network Firewall in a central inspection VPC. Route all traffic between the tiers through the Transit Gateway to the Network Firewall.

Use AWS WAF and attach it to the Elastic Network Interfaces (ENIs) of the application and database instances.