AWS Certified Solutions Architect - Associate
Get started today
Ultimate access to all questions.
Deep dive into the quiz with AI chat providers.
We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.
A solutions architect must secure a VPC network that hosts Amazon EC2 instances. The EC2 instances contain highly sensitive data and run in a private subnet. According to company policy, the EC2 instances that run in the VPC can access only approved third-party software repositories on the internet for software product updates that use the third party's URL. Other internet traffic must be blocked.
Which solution meets these requirements?
Other
Community
UAnonymous
A
Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall. Configure domain list rule groups.
B
Set up an AWS WAF web ACL. Create a custom set of rules that filter traffic requests based on source and destination IP address range sets.
C
Implement strict inbound security group rules. Configure an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs.
D
Configure an Application Load Balancer (ALB) in front of the EC2 instances. Direct all outbound traffic to the ALB. Use a URL-based rule listener in the ALB's target group for outbound access to the internet.
Explanation:
Explanation
Correct Answer: A
Why Option A is correct:
- AWS Network Firewall is a stateful, managed network firewall service that can filter traffic at the VPC level.
- Domain list rule groups allow you to create allow lists or deny lists based on domain names, which is exactly what's needed to allow only specific third-party software repository URLs.
- By routing outbound traffic from the private subnet through AWS Network Firewall, you can enforce URL/domain-based filtering policies.
- This solution provides granular control over which specific domains/URLs EC2 instances can access while blocking all other internet traffic.
Why other options are incorrect:
Option B (AWS WAF):
- AWS WAF is designed to protect web applications from common web exploits at Layer 7 (HTTP/HTTPS).
- It's not suitable for general outbound internet traffic filtering from EC2 instances.
- AWS WAF works with CloudFront, Application Load Balancer, or API Gateway, not directly with EC2 instances in a private subnet.
Option C (Security Groups):
- Security groups operate at the instance level and can only filter traffic based on IP addresses, ports, and protocols, not URLs.
- You cannot specify URLs in security group rules; you can only specify IP address ranges (CIDR blocks).
- This approach would require knowing the IP addresses of the third-party repositories, which may change and is not practical.
Option D (Application Load Balancer):
- ALB is designed for inbound traffic distribution to backend targets, not for controlling outbound traffic from EC2 instances.
- ALB cannot filter outbound traffic from EC2 instances; it's an inbound load balancer.
- URL-based rules in ALB are for routing incoming requests, not for controlling outbound internet access.
Key AWS Services Concepts:
- AWS Network Firewall: Provides stateful inspection, intrusion prevention and detection, and web filtering capabilities.
- Domain List Rule Groups: Allow you to specify lists of domain names to allow or deny traffic to.
- Private Subnet: EC2 instances in a private subnet have no direct internet access; they need a NAT gateway or similar for outbound internet access.
- The solution would typically involve routing traffic through a NAT gateway to AWS Network Firewall for inspection before reaching the internet.
Comments
Loading comments...