ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 3 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 3
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS.
The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint.
Which solution will meet these requirements?

  • A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port.
  • B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port.
  • C. Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
  • D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by happystrawberry at March 18, 2023, 6:29 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
study_aws1
Highly Voted 2 years ago
This is not a normal scenario of attaching IGW to EC2 instance by creating a route in subnet. Please read the below link typically describing ELB integration with AWS Global accelator (and the last line of the extract) - https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html "When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet."
upvoted 29 times
...
study_aws1
Highly Voted 2 years ago
Based on the above, the correct choice should be option A)
upvoted 14 times
...
Jonalb
Most Recent 5 months, 4 weeks ago
Selected Answer: A
You also don't need an associated internet gateway route for the subnet.
upvoted 1 times
...
73f8ac3
6 months ago
Selected Answer: D
Private subnet: Placing the ALB in a private subnet ensures that it is not directly accessible from the internet, enhancing security. Internet gateway: The internet gateway allows outbound traffic from the private subnet to reach the internet, which is necessary for the ALB to communicate with the AWS Global Accelerator. Route tables: The routes in the subnet route tables point to the internet gateway, ensuring that traffic from the ALB can reach the internet. Endpoint groups: The endpoint groups in the AWS Global Accelerator associate the ALB endpoint with the accelerator, allowing the vending machines to connect to the ALB through the accelerator's static IP address. Security group: The ALB's security group restricts inbound traffic to only the IP addresses of the AWS Global Accelerator, preventing direct internet access to the ALB.
upvoted 1 times
...
vikasj1in
6 months, 3 weeks ago
Selected Answer: A
Placing the ALB in a private subnet ensures that it is not directly accessible from the internet. Adding an internet gateway without adding routes in the subnet route tables prevents direct internet traffic to the ALB. Configuring the AWS Global Accelerator with endpoint groups that include the ALB endpoint allows controlled access to the application through the accelerator. Configuring the ALB's security group to only allow inbound traffic from the internet on the ALB listener port further restricts direct access, ensuring that the application is accessed only through the AWS Global Accelerator.
upvoted 2 times
...
Ravan
6 months, 3 weeks ago
Selected Answer: D
ALB in a private subnet: Ensures that the ALB cannot be accessed directly from the internet, protecting it from unauthorized access. Internet gateway: Allows the ALB to communicate with the internet, even though it's in a private subnet. Routes pointing to the internet gateway: Enables the ALB to send responses back to the internet through the Global Accelerator. Global Accelerator: Provides a globally distributed load balancer that can be accessed through static IP addresses, making it ideal for applications that need to be accessible from multiple locations worldwide. Endpoint groups: Associate the ALB with the Global Accelerator, allowing traffic to be routed to it. Security group: Restricts inbound traffic to the ALB, ensuring only traffic from the Global Accelerator can reach the application.
upvoted 1 times
...
Jonalb
8 months, 3 weeks ago
Selected Answer: A
Aaaaaaaaaaaaaaaaaaaaaaaa
upvoted 1 times
...
hkh2
8 months, 3 weeks ago
A is the answer https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html
upvoted 1 times
...
seochan
11 months ago
D is wrong. When using internal ALB, you must use Preserve Client IP on the Global Accelerator. In that case, the security group in your ALB should allow all internet traffic (because you should allow the IP addresses of your clients), not Global Accelerator's IP. Plus, the target VPC of the Global Accelerator must attach an Internet gateway.
upvoted 2 times
...
kourosh
11 months, 4 weeks ago
A is the correct answer.
upvoted 1 times
...
Raphaello
1 year ago
Selected Answer: D
Correct answer is D. The request is to allow flow ONLY through the accelerator and not through a direct connection over the internet to the ALB endpoint. So clearly option A (Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port) is not the answer. D is correct.
upvoted 1 times
...
xTrayusx
1 year ago
Selected Answer: D
Placing the ALB in a private subnet ensures that it is not directly accessible from the internet.The ALB's security group should be configured to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port. This ensures that only traffic originating from the accelerator is allowed to access the ALB.
upvoted 1 times
...
Marfee400704
1 year, 2 months ago
I think that it's correct answer is A according to SPOTO products.
upvoted 1 times
...
marfee
1 year, 2 months ago
I think that it's correcty answer is A.
upvoted 1 times
...
merajk
1 year, 5 months ago
Selected Answer: A
Well described here: https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.html
upvoted 2 times
ChinkSantana
1 year, 3 months ago
Well explained here: When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet.
upvoted 1 times
...
...
task_7
1 year, 5 months ago
Selected Answer: A
https://aws.amazon.com/blogs/networking-and-content-delivery/accessing-private-application-load-balancers-and-instances-through-aws-global-accelerator/
upvoted 4 times
...
Andrea13
1 year, 6 months ago
The correct answer is C. Configure the ALB in a public subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the accelerator’s IP addresses on the ALB listener port.
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago