Answer-first summary for fast verification
Answer: Associate an AWS WAF web ACL with the ALB. Use IP rule sets on the ALB to filter traffic. Update the IP addresses in the rule to include the registered IP addresses.
## Explanation **Correct Answer: A** AWS WAF (Web Application Firewall) is the appropriate service for filtering web traffic based on IP addresses at the application layer (Layer 7). Here's why: 1. **AWS WAF is designed for ALB integration**: AWS WAF can be directly associated with Application Load Balancers to filter HTTP/HTTPS traffic. 2. **IP-based filtering capability**: AWS WAF supports IP match conditions that allow you to create rules to allow or block traffic based on IP addresses. 3. **Scalability**: With 20,000+ retail locations, AWS WAF can handle the scale efficiently. 4. **Application-layer security**: Since this is HTTPS traffic on port 443 (application layer), AWS WAF operates at the appropriate layer. **Why other options are incorrect:** **B. AWS Firewall Manager**: While Firewall Manager can manage WAF rules across accounts, it's primarily for centralized management rather than direct IP filtering. It doesn't directly filter traffic at the ALB level. **C. Lambda authorization function**: This adds unnecessary complexity and latency. Lambda authorizers are typically used for token-based authentication, not IP filtering. It would require every request to trigger a Lambda function and DynamoDB query, which is inefficient for simple IP filtering. **D. Network ACL**: Network ACLs operate at the subnet level (Layer 3/4) and have limitations: - Maximum of 20 rules per direction (inbound/outbound) - Rules are evaluated in order with a default deny - Managing 20,000+ IP addresses would exceed the rule limit - Network ACLs are stateless and less flexible than WAF rules **Key Considerations:** - AWS WAF IP sets can contain up to 10,000 IP addresses per set, and you can use multiple IP sets if needed - The solution should be regularly updated as retail locations change their IP addresses - Consider using AWS WAF rate-based rules for additional protection - Monitor WAF logs in Amazon CloudWatch or S3 for security analysis
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has an application that serves clients that are deployed in more than 20,000 retail storefront locations around the world. The application consists of backend web services that are exposed over HTTPS on port 443. The application is hosted on Amazon EC2 instances behind an Application Load Balancer (ALB). The retail locations communicate with the web application over the public internet. The company allows each retail location to register the IP address that the retail location has been allocated by its local ISP.
The company’s security team recommends to increase the security of the application endpoint by restricting access to only the IP addresses registered by the retail locations.
What should a solutions architect do to meet these requirements?
A
Associate an AWS WAF web ACL with the ALB. Use IP rule sets on the ALB to filter traffic. Update the IP addresses in the rule to include the registered IP addresses.
B
Deploy AWS Firewall Manager to manage the ALB. Configure firewall rules to restrict traffic to the ALB. Modify the firewall rules to include the registered IP addresses.
C
Store the IP addresses in an Amazon DynamoDB table. Configure an AWS Lambda authorization function on the ALB to validate that incoming requests are from the registered IP addresses.
D
Configure the network ACL on the subnet that contains the public interface of the ALB. Update the ingress rules on the network ACL with entries for each of the registered IP addresses.