Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 3 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 3
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint.
Which solution will meet these requirements?

  • A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.
  • B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.
  • C. Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
  • D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by happystrawberry at March 18, 2023, 6:29 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 2 months, 3 weeks ago
Selected Answer: A
Answer: A. Configure the ALB in a private subnet of the VPC without adding internet gateway routes. Use the Global Accelerator endpoint groups for access, and set the ALB's security group to allow inbound traffic only from the Global Accelerator. Explanation: This configuration ensures the application is accessible only through the Global Accelerator, blocking direct internet access to the ALB.
upvoted 37 times
...
study_aws1
Highly Voted 1 year, 6 months ago
This is not a normal scenario of attaching IGW to EC2 instance by creating a route in subnet. Please read the below link typically describing ELB integration with AWS Global accelator (and the last line of the extract) - https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html "When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet."
upvoted 26 times
...
Ravan
Most Recent 3 weeks, 5 days ago
Selected Answer: D
ALB in a private subnet: Ensures that the ALB cannot be accessed directly from the internet, protecting it from unauthorized access. Internet gateway: Allows the ALB to communicate with the internet, even though it's in a private subnet. Routes pointing to the internet gateway: Enables the ALB to send responses back to the internet through the Global Accelerator. Global Accelerator: Provides a globally distributed load balancer that can be accessed through static IP addresses, making it ideal for applications that need to be accessible from multiple locations worldwide. Endpoint groups: Associate the ALB with the Global Accelerator, allowing traffic to be routed to it. Security group: Restricts inbound traffic to the ALB, ensuring only traffic from the Global Accelerator can reach the application.
upvoted 1 times
...
[Removed]
1 month, 2 weeks ago
Answer: A.
upvoted 2 times
...
Jonalb
1 month, 3 weeks ago
Selected Answer: A
Aaaaaaaaaaaaaaaaaaaaaaaa
upvoted 1 times
...
hkh2
1 month, 3 weeks ago
A is the answer https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html
upvoted 1 times
...
seochan
4 months ago
D is wrong. When using internal ALB, you must use Preserve Client IP on the Global Accelerator. In that case, the security group in your ALB should allow all internet traffic (because you should allow the IP addresses of your clients), not Global Accelerator's IP. Plus, the target VPC of the Global Accelerator must attach an Internet gateway.
upvoted 1 times
...
kourosh
4 months, 4 weeks ago
A is the correct answer.
upvoted 1 times
...
Raphaello
5 months, 3 weeks ago
Selected Answer: D
Correct answer is D. The request is to allow flow ONLY through the accelerator and not through a direct connection over the internet to the ALB endpoint. So clearly option A (Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port) is not the answer. D is correct.
upvoted 1 times
...
xTrayusx
5 months, 3 weeks ago
Selected Answer: D
Placing the ALB in a private subnet ensures that it is not directly accessible from the internet.The ALB's security group should be configured to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port. This ensures that only traffic originating from the accelerator is allowed to access the ALB.
upvoted 1 times
...
vikasj1in
7 months, 1 week ago
Selected Answer: A
Placing the ALB in a private subnet ensures that it is not directly accessible from the internet. Adding an internet gateway without adding routes in the subnet route tables prevents direct internet traffic to the ALB. Configuring the AWS Global Accelerator with endpoint groups that include the ALB endpoint allows controlled access to the application through the accelerator. Configuring the ALB's security group to only allow inbound traffic from the internet on the ALB listener port further restricts direct access, ensuring that the application is accessed only through the AWS Global Accelerator.
upvoted 2 times
...
Marfee400704
7 months, 1 week ago
I think that it's correct answer is A according to SPOTO products.
upvoted 1 times
...
marfee
7 months, 2 weeks ago
I think that it's correcty answer is A.
upvoted 1 times
...
merajk
10 months, 1 week ago
Selected Answer: A
Well described here: https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html
upvoted 2 times
ChinkSantana
8 months, 1 week ago
Well explained here: When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet.
upvoted 1 times
...
...
task_7
11 months ago
Selected Answer: A
https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-private-application-load-balancers-and-instances-through-aws-global-accelerator/
upvoted 4 times
...
Andrea13
11 months, 3 weeks ago
The correct answer is C. Configure the ALB in a public subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the accelerator’s IP addresses on the ALB listener port.
upvoted 3 times
...
MEDES
12 months ago
This is not a normal scenario of attaching IGW to EC2 instance by creating a route in subnet. Please read the below link typically describing ELB integration with AWS Global accelator (and the last line of the extract) - https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html "When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet."
upvoted 1 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel