Answer-first summary for fast verification
Answer: Configure AWS WAF on the Application Load Balancer in a VPC.
## Explanation **Correct Answer: C - Configure AWS WAF on the Application Load Balancer in a VPC.** **Why this is correct:** 1. **AWS WAF (Web Application Firewall)** is specifically designed to filter web traffic based on various criteria, including geographic location (GeoMatch conditions). 2. AWS WAF can be attached to Application Load Balancers to filter HTTP/HTTPS traffic before it reaches the backend EC2 instances. 3. With AWS WAF, you can create rules to allow or block traffic based on the country of origin using GeoMatch conditions. 4. This solution operates at the application layer (Layer 7), which is appropriate for web application traffic. **Why other options are incorrect:** **A. Configure the security group for the EC2 instances.** - Security groups operate at the instance level and filter traffic based on IP addresses, ports, and protocols. - They cannot filter traffic based on geographic location or country. - Security groups are stateful and work at the network/transport layer (Layer 3/4), not the application layer. **B. Configure the security group on the Application Load Balancer.** - Similar to option A, security groups on ALBs filter based on IP addresses, ports, and protocols. - They cannot perform geographic filtering. - While ALB security groups are important for security, they don't provide country-based access control. **D. Configure the network ACL for the subnet that contains the EC2 instances.** - Network ACLs operate at the subnet level and filter traffic based on IP addresses, ports, and protocols. - They are stateless and work at the network/transport layer (Layer 3/4). - Network ACLs cannot filter traffic based on geographic location or country. **Key AWS Services for Geographic Filtering:** 1. **AWS WAF** - Best for web applications (HTTP/HTTPS traffic) with Application Load Balancers, CloudFront, or API Gateway. 2. **Amazon CloudFront** - Can use geographic restrictions at the CDN level. 3. **AWS Shield Advanced** - Includes AWS WAF capabilities for DDoS protection with geographic filtering. **Implementation Approach:** 1. Create an AWS WAF web ACL. 2. Add a GeoMatch rule to allow traffic only from the specific country. 3. Attach the web ACL to the Application Load Balancer. 4. Configure the rule to block all other traffic not from the allowed country. This solution ensures that only users from the specified country can access the web application while maintaining the existing architecture with EC2 instances behind an Application Load Balancer.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A company's web application is running on Amazon EC2 instances behind an Application Load Balancer. The company recently changed its policy, which now requires the application to be accessed from one specific country only. Which configuration will meet this requirement?
A
Configure the security group for the EC2 instances.
B
Configure the security group on the Application Load Balancer.
C
Configure AWS WAF on the Application Load Balancer in a VPC.
D
Configure the network ACL for the subnet that contains the EC2 instances.
No comments yet.