Answer-first summary for fast verification
Answer: Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall. Configure domain list rule groups.
## Explanation **Correct Answer: A** **Why Option A is correct:** 1. **AWS Network Firewall** is a stateful, managed network firewall service that can filter traffic at the VPC level. 2. **Domain list rule groups** allow you to create allow lists or deny lists based on domain names, which is exactly what's needed to allow only specific third-party software repository URLs. 3. By routing outbound traffic from the private subnet through AWS Network Firewall, you can enforce URL/domain-based filtering policies. 4. This solution provides granular control over which specific domains/URLs EC2 instances can access while blocking all other internet traffic. **Why other options are incorrect:** **Option B (AWS WAF):** - AWS WAF is designed to protect web applications from common web exploits at Layer 7 (HTTP/HTTPS). - It's not suitable for general outbound internet traffic filtering from EC2 instances. - AWS WAF works with CloudFront, Application Load Balancer, or API Gateway, not directly with EC2 instances in a private subnet. **Option C (Security Groups):** - Security groups operate at the instance level and can only filter traffic based on IP addresses, ports, and protocols, not URLs. - You cannot specify URLs in security group rules; you can only specify IP address ranges (CIDR blocks). - This approach would require knowing the IP addresses of the third-party repositories, which may change and is not practical. **Option D (Application Load Balancer):** - ALB is designed for inbound traffic distribution to backend targets, not for controlling outbound traffic from EC2 instances. - ALB cannot filter outbound traffic from EC2 instances; it's an inbound load balancer. - URL-based rules in ALB are for routing incoming requests, not for controlling outbound internet access. **Key AWS Services Concepts:** - **AWS Network Firewall:** Provides stateful inspection, intrusion prevention and detection, and web filtering capabilities. - **Domain List Rule Groups:** Allow you to specify lists of domain names to allow or deny traffic to. - **Private Subnet:** EC2 instances in a private subnet have no direct internet access; they need a NAT gateway or similar for outbound internet access. - The solution would typically involve routing traffic through a NAT gateway to AWS Network Firewall for inspection before reaching the internet.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
A solutions architect must secure a VPC network that hosts Amazon EC2 instances. The EC2 instances contain highly sensitive data and run in a private subnet. According to company policy, the EC2 instances that run in the VPC can access only approved third-party software repositories on the internet for software product updates that use the third party's URL. Other internet traffic must be blocked.
Which solution meets these requirements?
A
Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall. Configure domain list rule groups.
B
Set up an AWS WAF web ACL. Create a custom set of rules that filter traffic requests based on source and destination IP address range sets.
C
Implement strict inbound security group rules. Configure an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs.
D
Configure an Application Load Balancer (ALB) in front of the EC2 instances. Direct all outbound traffic to the ALB. Use a URL-based rule listener in the ALB's target group for outbound access to the internet.
No comments yet.