AWS Certified Advanced Networking - Specialty
Get started today
Ultimate access to all questions.
A company is deploying a new stateless web application on AWS, hosted on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are part of an Auto Scaling group. A stateful management application for administration will run on separate EC2 instances in a different Auto Scaling group. The company intends to access the management application using the same URL as the web application, with a /management path prefix, while maintaining identical protocol, hostname, and port number for both applications. Access to the management application must be limited to the company's on-premises IP address range, and the web application will be secured with an SSL/TLS certificate from AWS Certificate Manager (ACM).
Which two steps should a network engineer implement to fulfill these requirements?
A company is deploying a new stateless web application on AWS, hosted on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are part of an Auto Scaling group. A stateful management application for administration will run on separate EC2 instances in a different Auto Scaling group. The company intends to access the management application using the same URL as the web application, with a /management path prefix, while maintaining identical protocol, hostname, and port number for both applications. Access to the management application must be limited to the company's on-premises IP address range, and the web application will be secured with an SSL/TLS certificate from AWS Certificate Manager (ACM).
Which two steps should a network engineer implement to fulfill these requirements?
Explanation:
To meet the requirements, the network engineer needs to configure the Application Load Balancer (ALB) to route requests with the /management path prefix to the management application target group, while ensuring that access is restricted to the company's on-premises IP address space. This involves setting up rules on the ALB's HTTPS listener to check for the path-pattern condition type for the /management prefix and the source-ip condition type for the on-premises IP address space. Option A correctly describes inserting a rule for the ALB HTTPS listener to check these conditions and forward requests to the management application target group if there is a match. It also correctly mentions enabling stickiness for the management application target group, which is necessary for stateful applications. Option D describes modifying the default rule for the ALB HTTPS listener to check the same conditions but forwards requests to the web application target group if there is not a match, which is also a necessary step to ensure that all other requests are handled by the web application. Therefore, the correct options are A and D.