AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company runs a web application that is deployed on Amazon EC2 instances in the private subnet of a VPC. An Application Load Balancer (ALB) that extends across the public subnets directs web traffic to the EC2 instances. The company wants to implement new security measures to restrict inbound traffic from the ALB to the EC2 instances while preventing access from any other source inside or outside the private subnet of the EC2 instances.

Which solution will meet these requirements?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Configure a route in a route table to direct traffic from the internet to the private IP addresses of the EC2 instances.

Configure the security group for the EC2 instances to only allow traffic that comes from the security group for the ALB.

Move the EC2 instances into the public subnet. Give the EC2 instances a set of Elastic IP addresses.

Configure the security group for the ALB to allow any TCP traffic on any port.

Explanation:

Explanation

Option B is correct because it provides the most secure and effective solution:

Security Group Referencing: By configuring the EC2 instance security group to only allow traffic from the ALB's security group, you create a security group reference rule. This allows traffic only from the ALB's security group, regardless of the source IP addresses.
Principle of Least Privilege: This approach follows the principle of least privilege by only allowing traffic from the specific ALB that needs to communicate with the EC2 instances.
Dynamic and Scalable: Security group referencing is dynamic - if the ALB's IP addresses change (which they can in AWS), the security rules automatically adjust because they reference the security group, not specific IP addresses.
Blocks All Other Traffic: This configuration effectively blocks all other inbound traffic from both inside and outside the private subnet, meeting the requirement to prevent access from any other source.

Why other options are incorrect:

Option A: Configuring a route table to direct traffic from the internet to private IP addresses doesn't provide security filtering. Route tables control routing, not security. This would expose EC2 instances directly to the internet.
Option C: Moving EC2 instances to the public subnet and assigning Elastic IP addresses would expose them directly to the internet, which is the opposite of what's required. This would make them vulnerable to attacks.
Option D: Configuring the ALB security group to allow any TCP traffic doesn't restrict access to the EC2 instances. The ALB security group controls what traffic reaches the ALB, not what traffic the ALB sends to the EC2 instances.

Best Practice: In AWS, when you want to restrict traffic from a load balancer to backend instances, you should use security group referencing where the backend instances' security group allows traffic only from the load balancer's security group. This is a standard pattern for securing multi-tier applications in AWS.

Powered ByGPT-5.2

Comments

Loading comments...