AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A solutions architect needs to design a highly available application consisting of web, application, and database tiers. HTTPS content delivery should be as close to the edge as possible, with the least delivery time.

Which solution meets these requirements and is MOST secure?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure a public Application Load Balancer (ALB) with multiple redundant Amazon EC2 instances in public subnets. Configure Amazon CloudFront to deliver HTTPS content using the public ALB as the origin.

Configure a public Application Load Balancer with multiple redundant Amazon EC2 instances in private subnets. Configure Amazon CloudFront to deliver HTTPS content using the EC2 instances as the origin.

Configure a public Application Load Balancer (ALB) with multiple redundant Amazon EC2 instances in private subnets. Configure Amazon CloudFront to deliver HTTPS content using the public ALB as the origin.

Configure a public Application Load Balancer with multiple redundant Amazon EC2 instances in public subnets. Configure Amazon CloudFront to deliver HTTPS content using the EC2 instances as the origin.

Explanation:

Explanation

Correct Answer: C

Why Option C is the best solution:

Security Best Practice: EC2 instances should be placed in private subnets to enhance security. This prevents direct internet access to the instances, reducing the attack surface.
CloudFront Integration: Using CloudFront with the ALB as the origin provides:
- Edge delivery: Content is cached at CloudFront edge locations, reducing latency
- HTTPS termination: CloudFront can handle SSL/TLS termination at the edge
- DDoS protection: CloudFront provides built-in DDoS mitigation
ALB as Origin: Using the ALB as the CloudFront origin is the correct pattern because:
- ALB can handle load balancing across multiple EC2 instances
- ALB provides health checks and automatic failover
- ALB can handle SSL termination if needed (though CloudFront can also do this)
- ALB provides a single endpoint for CloudFront to connect to

Why other options are incorrect:

Option A: Places EC2 instances in public subnets, which is less secure as instances are directly exposed to the internet.
Option B: Uses EC2 instances directly as CloudFront origin instead of ALB, which bypasses the load balancing and health check capabilities of ALB.
Option D: Combines the security flaw of public subnets with the architectural flaw of using EC2 instances directly as CloudFront origin.

Key Architecture Principles:

Defense in depth: Multiple layers of security (private subnets, ALB, CloudFront)
Edge optimization: CloudFront delivers content from edge locations
High availability: Multiple EC2 instances with ALB load balancing
Security: Private subnets protect backend instances from direct internet access

Powered ByGPT-5.2

Comments

Loading comments...