Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 12 discussion

C If you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html

Option B ...Encryption at all stages: The requirement specifies that all traffic must be encrypted at all stages, with no decryption at intermediate points. Amazon CloudFront is a content delivery network (CDN) that supports end-to-end encryption (from the customer to the application). By configuring CloudFront with a custom SSL/TLS certificate, traffic between the customer and CloudFront (as well as between CloudFront and the origin) can be fully encrypted. No decryption at intermediate points: With CloudFront, you can ensure that traffic remains encrypted, and CloudFront acts as a proxy for the traffic without decrypting it. It only forwards the traffic (still encrypted) to the application servers.

With ALB HTTPS listener will have ALB itself to intercept and terminate SSL/TLS connection. NLB will TCP listener will allow SSL/TLS connections to passthrough to backend app. servers where they can decrypt the flow.

I think that it's correct answer is C according to SPOTO products.

I think that it's correcty answer is C.

'No decryption at intermediate points is allowed.'

C If you need to pass encrypted traffic to the targets without the load balancer decrypting it, create a TCP listener on port 443 instead of creating a TLS listener. https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-tls-listener.html

Option A correct, an Application Load Balancer (ALB) is a Layer 7 load balancer that routes incoming traffic based on the content of the request. It can route traffic to Amazon EC2 instances, containers, and IP addresses based on the rules that you define. You can use an HTTPS listener to encrypt traffic between clients and the load balancer. The load balancer decrypts requests and encrypts responses before sending them to clients. Option C incorrect because The load balancer passes the request through as is, Since we must encrypt all traffic at all stages between the customers and the application servers and no decryption at intermediate points is allowed, NLB is not suitable for this scenario.

ALB is wrong because entire network packet needs to be forwarded

C is the correct answer here Based on the requirements given in the question, option C is the most suitable and correct solution. The Network Load Balancer (NLB) can handle TCP and UDP traffic, and it can also encrypt traffic with SSL/TLS encryption. Additionally, NLB is designed for high performance, low latency traffic and can handle millions of requests per second, making it well-suited for handling the continuously changing customer demand mentioned in the question. Option A, creating an Application Load Balancer (ALB), is also a viable solution for load balancing traffic to the EC2 instances, but it may not be the best option for handling high volumes of TCP and UDP traffic, especially when it comes to real-time applications.

C covers the requirement for end-to-end encryption

C is the only option that provides the connection from client not to be terminated in any intermediate point but the application server

AAAAAAAAAAAAAA

Option C may be a valid solution, but it only provides transport layer security (TLS) encryption, not end-to-end encryption. Additionally, TCP listeners cannot inspect the contents of traffic, so the Network Load Balancer would not be able to ensure that traffic is not decrypted at intermediate points.

Option C, creating a Network Load Balancer (NLB), is a Layer 4 load balancer that can distribute incoming traffic to EC2 instances based on IP protocol data such as TCP, UDP, or SSL. However, it does not provide the same routing and load balancing capabilities as an ALB, which can route traffic based on application layer data such as HTTP headers.

Should be option C). Requirement is for end-end encryption in transit between customer & instances (EC2), and hence requires NLB with TCP passthrough.

C - correct.