Answer-first summary for fast verification
Answer: Configure CloudFront to add a custom HTTP header to requests that CloudFront sends to the ALB., Configure the ALB to forward only requests that contain the custom HTTP header.
To ensure that the EC2 instances behind the Application Load Balancer (ALB) receive traffic only from Amazon CloudFront, the company should configure CloudFront to add a custom HTTP header to the requests it sends to the ALB (Option B). This custom header can serve as a unique indicator that the traffic has indeed passed through CloudFront. Additionally, the ALB should be configured to forward only requests that contain this custom HTTP header (Option C). This ensures that any request not containing the custom header, which would imply it did not come through CloudFront, will be rejected. Therefore, by using a custom HTTP header and configuring the ALB to accept only requests with this header, direct traffic to the ALB will be effectively blocked.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has deployed an Application Load Balancer (ALB) to manage traffic to their public-facing applications. Recently, they experienced a DDoS attack, prompting them to place Amazon CloudFront in front of the ALB to prevent direct access to the EC2 instances. Despite this measure, they notice that some traffic is bypassing CloudFront and still reaching the ALB, potentially exposing the EC2 instances to direct traffic. What two actions should the company take to ensure that only traffic from CloudFront reaches the EC2 instances behind the ALB?
A
Configure CloudFront to add a cache key policy to allow a custom HTTP header that CloudFront sends to the ALB.
B
Configure CloudFront to add a custom HTTP header to requests that CloudFront sends to the ALB.
C
Configure the ALB to forward only requests that contain the custom HTTP header.
D
Configure the ALB and CloudFront to use the X-Forwarded-For header to check client IP addresses.
E
Configure the ALB and CloudFront to use the same X.509 certificate that is generated by AWS Certificate Manager (ACM).