Answer: Configure a public Application Load Balancer (ALB) with multiple redundant Amazon EC2 instances in private subnets. Configure Amazon CloudFront to deliver HTTPS content using the public ALB as the origin.

## Explanation **Correct Answer: C** **Why Option C is the best solution:** 1. **Security Best Practice**: EC2 instances should be placed in **private subnets** to enhance security. This prevents direct internet access to the instances, reducing the attack surface. 2. **CloudFront Integration**: Using CloudFront with the ALB as the origin provides: - **Edge delivery**: Content is cached at CloudFront edge locations, reducing latency - **HTTPS termination**: CloudFront can handle SSL/TLS termination at the edge - **DDoS protection**: CloudFront provides built-in DDoS mitigation 3. **ALB as Origin**: Using the ALB as the CloudFront origin is the correct pattern because: - ALB can handle load balancing across multiple EC2 instances - ALB provides health checks and automatic failover - ALB can handle SSL termination if needed (though CloudFront can also do this) - ALB provides a single endpoint for CloudFront to connect to **Why other options are incorrect:** - **Option A**: Places EC2 instances in public subnets, which is less secure as instances are directly exposed to the internet. - **Option B**: Uses EC2 instances directly as CloudFront origin instead of ALB, which bypasses the load balancing and health check capabilities of ALB. - **Option D**: Combines the security flaw of public subnets with the architectural flaw of using EC2 instances directly as CloudFront origin. **Key Architecture Principles:** - **Defense in depth**: Multiple layers of security (private subnets, ALB, CloudFront) - **Edge optimization**: CloudFront delivers content from edge locations - **High availability**: Multiple EC2 instances with ALB load balancing - **Security**: Private subnets protect backend instances from direct internet access

Author: LeetQuiz Editorial Team