Answer-first summary for fast verification
Answer: Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
The question requires a solution that ensures the application is accessible only through the AWS Global Accelerator and not directly over the internet. This means the ALB should not be directly accessible from the internet, which can be achieved by placing it in a private subnet and configuring the security group to allow traffic only from the accelerator's IP addresses. Option A is incorrect because it suggests configuring the ALB's security group to allow inbound traffic from the internet, which contradicts the requirement. Option B is also incorrect for the same reason as Option A. Option C is incorrect because it suggests placing the ALB in a public subnet and allowing traffic from the internet, which again contradicts the requirement. Option D is the correct answer because it places the ALB in a private subnet, configures the accelerator with endpoint groups that include the ALB endpoint, and configures the ALB's security group to only allow inbound traffic from the accelerator's IP addresses, meeting all the requirements.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has an AWS-hosted application in the us-east-1 Region, deployed within a VPC, that monitors vending machine inventory levels and triggers automatic restocking. The application uses an Amazon ECS cluster behind an Application Load Balancer (ALB) and communicates with vending machines globally over HTTPS. The company intends to use AWS Global Accelerator with static IP addresses configured in the vending machines for accessing the application endpoint. The application must only be accessible through the accelerator and not directly via the ALB endpoint over the internet.
What solution fulfills these requirements?
A
Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.
B
Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.
C
Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
D
Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.