AWS Certified Solutions Architect - Associate

Get started today

Ultimate access to all questions.

Deep dive into the quiz with AI chat providers.

We prepare a focused prompt with your quiz and certificate details so each AI can offer a more tailored, in-depth explanation.

A company operates a two-tier application for image processing. The application uses two Availability Zones, each with one public subnet and one private subnet. An Application Load Balancer (ALB) for the web tier uses the public subnets. Amazon EC2 instances for the application tier use the private subnets.

Users report that the application is running more slowly than expected. A security audit of the web server log files shows that the application is receiving millions of illegitimate requests from a small number of IP addresses. A solutions architect needs to resolve the immediate performance problem while the company investigates a more permanent solution.

What should the solutions architect recommend to meet this requirement?

Other

Community

UAnonymous

Last updated: February 23, 2026 at 11:39

Modify the inbound security group for the web tier. Add a deny rule for the IP addresses that are consuming resources.

Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.

Modify the inbound security group for the application tier. Add a deny rule for the IP addresses that are consuming resources.

Modify the network ACL for the application tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.

Explanation:

Explanation

Correct Answer: B

Why Option B is correct:

Network ACLs vs Security Groups: Network ACLs operate at the subnet level and are stateless, meaning they can block traffic before it reaches the instances. Security Groups operate at the instance level and are stateful.
Immediate performance impact: The problem is that millions of illegitimate requests are reaching the web tier, consuming resources. Network ACLs can block these requests at the subnet boundary before they even reach the ALB or instances, providing immediate relief from the performance impact.
Web tier focus: Since the illegitimate requests are hitting the web tier (ALB in public subnets), modifying the network ACL for the web tier subnets will block these requests at the entry point.
Stateless nature: Network ACLs evaluate all traffic, both inbound and outbound, and can immediately drop malicious traffic without processing it further.

Why other options are incorrect:

Option A: Security groups are stateful and operate at the instance level. While they could block traffic, the requests would still reach the ALB/instances, consuming network bandwidth and processing resources before being denied.
Option C: The application tier is in private subnets behind the ALB. The illegitimate requests are hitting the web tier (ALB), not directly reaching the application tier.
Option D: Similar to C, the application tier is not directly exposed to the internet, and the requests are not reaching there directly.

Key AWS Concepts:

Network ACLs: Stateless, subnet-level firewalls that can allow/deny traffic based on rules
Security Groups: Stateful, instance-level firewalls that act as virtual firewalls for EC2 instances
Application Load Balancer (ALB): Distributes incoming application traffic across multiple targets

Best Practice: For immediate blocking of known malicious IP addresses at scale, Network ACLs are more effective as they prevent traffic from entering the subnet entirely, reducing resource consumption on the ALB and instances.

Powered ByGPT-5.2

Comments

Loading comments...