Answer-first summary for fast verification
Answer: Deploy a transit gateway. Attach a GLB endpoint to the transit gateway. Attach the application VPC to the transit gateway. Update the application subnet route table's default route destination to be the GLB endpoint. Ensure that the EC2 instances' security group allows traffic from the GLB endpoint.
To ensure that all internet traffic is inspected by the fleet of firewalls before reaching the EC2 instances, the network engineer needs to configure the routing in such a way that traffic from the internet is directed through the Gateway Load Balancer (GLB) which is connected to the third-party firewalls. Option A suggests deploying a transit gateway, attaching a GLB endpoint to it, and then attaching the application VPC to the transit gateway. This setup allows for the traffic to be routed through the GLB endpoint, ensuring that it passes through the firewall fleet for inspection. The application subnet route table's default route is updated to direct traffic to the GLB endpoint, and the EC2 instances' security group is configured to allow traffic from the GLB endpoint. This approach effectively meets the requirement by ensuring that all traffic is inspected by the firewalls before reaching the application servers.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
How should a network engineer modify the existing AWS environment, which includes public application servers running on Amazon EC2 instances in a VPC subnet with associated Elastic IP addresses, to route all internet traffic through a fleet of third-party firewalls deployed in a standalone VPC using a Gateway Load Balancer (GLB) for firewall inspection before reaching the EC2 instances?
A
Deploy a transit gateway. Attach a GLB endpoint to the transit gateway. Attach the application VPC to the transit gateway. Update the application subnet route table's default route destination to be the GLB endpoint. Ensure that the EC2 instances' security group allows traffic from the GLB endpoint.
B
Update the application subnet route table to have a default route to the GLOn the standalone VPC that contains the firewall fleet, add a route in the route table for the application VPC's CIDR block with the GLB endpoint as the destination. Update the EC2 instances' security group to allow traffic from the GLB.
C
Provision a GLB endpoint in the application VPC in a new subnet. Create a gateway route table with a route that specifies the application subnet CIDR block as the destination and the GLB endpoint as the target. Associate the gateway route table with the internet gateway in the application VPUpdate the application subnet route table's default route destination to be the GLB endpoint.
D
Instruct the security engineer to move the GLB into the application VPC. Create a gateway route table. Associate the gateway route table with the application subnet. Add a default route to the gateway route table with the GLB as its destination. Update the route table on the GLB to direct traffic from the internet gateway to the application servers. Ensure that the EC2 instances' security group allows traffic from the GLB.