In the context of AWS Cloud Hardware Security Module(HSM), does your application need to
reside in the same VPC as the CloudHSM instance?
A.
No, but the server or instance on which your application and the HSM client is running must have
network (IP) reachability to the HSM.
B.
Yes, always
C.
No, but they must reside in the same Availability Zone.
D.
No, but it should reside in same Availability Zone as the DB instance.
Explanation:
Your application does not need to reside in the same VPC as the CloudHSM instance. However,
the server or instance on which your application and the HSM client is running must have network
(IP) reachability to the HSM. You can establish network connectivity in a variety of ways,
including operating your application in the same VPC, with VPC peering, with a VPN connection,
or with Direct Connect.
https://aws.amazon.com/cloudhsm/faqs/
HSM can also be used in VPC peering, so A is correct.