AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company's web application is running on Amazon EC2 instances behind an Application Load Balancer. The company recently changed its policy, which now requires the application to be accessed from one specific country only. Which configuration will meet this requirement?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure the security group for the EC2 instances.

Configure the security group on the Application Load Balancer.

Configure AWS WAF on the Application Load Balancer in a VPC.

Configure the network ACL for the subnet that contains the EC2 instances.

Explanation:

Explanation

Correct Answer: C - Configure AWS WAF on the Application Load Balancer in a VPC.

Why this is correct:

AWS WAF (Web Application Firewall) is specifically designed to filter web traffic based on various criteria, including geographic location (GeoMatch conditions).
AWS WAF can be attached to Application Load Balancers to filter HTTP/HTTPS traffic before it reaches the backend EC2 instances.
With AWS WAF, you can create rules to allow or block traffic based on the country of origin using GeoMatch conditions.
This solution operates at the application layer (Layer 7), which is appropriate for web application traffic.

Why other options are incorrect:

A. Configure the security group for the EC2 instances.

Security groups operate at the instance level and filter traffic based on IP addresses, ports, and protocols.
They cannot filter traffic based on geographic location or country.
Security groups are stateful and work at the network/transport layer (Layer 3/4), not the application layer.

B. Configure the security group on the Application Load Balancer.

Similar to option A, security groups on ALBs filter based on IP addresses, ports, and protocols.
They cannot perform geographic filtering.
While ALB security groups are important for security, they don't provide country-based access control.

D. Configure the network ACL for the subnet that contains the EC2 instances.

Network ACLs operate at the subnet level and filter traffic based on IP addresses, ports, and protocols.
They are stateless and work at the network/transport layer (Layer 3/4).
Network ACLs cannot filter traffic based on geographic location or country.

Key AWS Services for Geographic Filtering:

AWS WAF - Best for web applications (HTTP/HTTPS traffic) with Application Load Balancers, CloudFront, or API Gateway.
Amazon CloudFront - Can use geographic restrictions at the CDN level.
AWS Shield Advanced - Includes AWS WAF capabilities for DDoS protection with geographic filtering.

Implementation Approach:

Create an AWS WAF web ACL.
Add a GeoMatch rule to allow traffic only from the specific country.
Attach the web ACL to the Application Load Balancer.
Configure the rule to block all other traffic not from the allowed country.

This solution ensures that only users from the specified country can access the web application while maintaining the existing architecture with EC2 instances behind an Application Load Balancer.

Powered ByGPT-5.2

Comments

Loading comments...