Answer-first summary for fast verification
Answer: Deploy a transit gateway. Attach a GLB endpoint to the transit gateway. Attach the application VPC to the transit gateway. Update the application subnet route table's default route destination to be the GLB endpoint. Ensure that the EC2 instances' security group allows traffic from the GLB endpoint.
To ensure that all traffic from the internet is inspected by the fleet of firewalls before reaching the EC2 instances, the network engineer needs to configure the environment so that traffic is routed through the Gateway Load Balancer (GLB) endpoint. The correct approach involves updating the application subnet route table to direct traffic to the GLB endpoint, ensuring that the traffic passes through the firewall fleet for inspection. Option A correctly describes this process by suggesting the deployment of a transit gateway, attaching a GLB endpoint to it, and updating the application subnet route table's default route destination to be the GLB endpoint. This setup ensures that all traffic from the internet is routed through the GLB endpoint, where it can be inspected by the firewalls before reaching the EC2 instances. Additionally, it mentions the necessity of updating the EC2 instances' security group to allow traffic from the GLB endpoint, which is crucial for the traffic flow. Option B, while it mentions updating the route table and security group, does not clearly describe the use of a transit gateway or the correct routing setup. Options C and D suggest moving the GLB into the application VPC or creating a gateway route table, which are not necessary steps for achieving the desired traffic flow through the firewalls. Therefore, the correct answer is A.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
How should a network engineer modify the existing AWS environment to route all internet traffic through the fleet of third-party firewalls deployed in a standalone VPC using a Gateway Load Balancer (GLB) before it reaches the public EC2 instances?
A
Deploy a transit gateway. Attach a GLB endpoint to the transit gateway. Attach the application VPC to the transit gateway. Update the application subnet route table's default route destination to be the GLB endpoint. Ensure that the EC2 instances' security group allows traffic from the GLB endpoint.
B
Update the application subnet route table to have a default route to the GLOn the standalone VPC that contains the firewall fleet, add a route in the route table for the application VPC's CIDR block with the GLB endpoint as the destination. Update the EC2 instances' security group to allow traffic from the GLB.
C
Provision a GLB endpoint in the application VPC in a new subnet. Create a gateway route table with a route that specifies the application subnet CIDR block as the destination and the GLB endpoint as the target. Associate the gateway route table with the internet gateway in the application VPUpdate the application subnet route table's default route destination to be the GLB endpoint.
D
Instruct the security engineer to move the GLB into the application VPC. Create a gateway route table. Associate the gateway route table with the application subnet. Add a default route to the gateway route table with the GLB as its destination. Update the route table on the GLB to direct traffic from the internet gateway to the application servers. Ensure that the EC2 instances' security group allows traffic from the GLB.
No comments yet.