AWS Certified Advanced Networking - Specialty
Get started today
Ultimate access to all questions.
How should a network engineer modify the existing AWS environment, which includes public application servers running on Amazon EC2 instances in a VPC subnet with associated Elastic IP addresses, to route all internet traffic through a fleet of third-party firewalls deployed in a standalone VPC using a Gateway Load Balancer (GLB) for firewall inspection before reaching the EC2 instances?
How should a network engineer modify the existing AWS environment, which includes public application servers running on Amazon EC2 instances in a VPC subnet with associated Elastic IP addresses, to route all internet traffic through a fleet of third-party firewalls deployed in a standalone VPC using a Gateway Load Balancer (GLB) for firewall inspection before reaching the EC2 instances?
Explanation:
To ensure that all internet traffic is inspected by the fleet of firewalls before reaching the EC2 instances, the network engineer needs to configure the routing in such a way that traffic from the internet is directed through the Gateway Load Balancer (GLB) which is connected to the third-party firewalls. Option A suggests deploying a transit gateway, attaching a GLB endpoint to it, and then attaching the application VPC to the transit gateway. This setup allows for the traffic to be routed through the GLB endpoint, ensuring that it passes through the firewall fleet for inspection. The application subnet route table's default route is updated to direct traffic to the GLB endpoint, and the EC2 instances' security group is configured to allow traffic from the GLB endpoint. This approach effectively meets the requirement by ensuring that all traffic is inspected by the firewalls before reaching the application servers.