ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 287 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 287
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A company is managing a website with a global user base hosted on Amazon EC2 with an Application Load Balancer (ALB). To reduce the load on the web servers, a SysOps administrator configures an Amazon CloudFront distribution with the ALB as the origin. After a week of monitoring the solution, the administrator notices that requests are still being served by the ALB and there is no change in the web server load.

What are possible causes for this problem? (Choose two.)

  • A. CloudFront does not have the ALB configured as the origin access identity.
  • B. The DNS is still pointing to the ALB instead of the CloudFront distribution.
  • C. The ALB security group is not permitting inbound traffic from CloudFront.
  • D. The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution.
  • E. The target groups associated with the ALB are configured for sticky sessions.
Show Suggested Answer Hide Answer
Suggested Answer: BD 🗳️
by Gomer at May 2, 2023, 10:19 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Christina666
Highly Voted 9 months ago
Selected Answer: BD
B. The DNS is still pointing to the ALB instead of the CloudFront distribution. Explanation: If the DNS is still directing user traffic directly to the ALB instead of the CloudFront distribution, then the requests will not be served through CloudFront, and there won't be any reduction in the web server load. D. The default, minimum, and maximum Time to Live (TTL) are set to 0 seconds on the CloudFront distribution. Explanation: If the Time to Live (TTL) settings are set to 0 seconds, it means that CloudFront will not cache any responses from the ALB and will forward each request directly to the ALB. This will result in the ALB still serving all the requests, and there won't be any offloading of the web server load.
upvoted 6 times
Christina666
9 months ago
C. The ALB security group is not permitting inbound traffic from CloudFront. Explanation: If inbound traffic from CloudFront is not allowed in the ALB security group, CloudFront won't be able to access the ALB to fetch content. However, this issue would lead to an authentication or connectivity problem, and CloudFront would not be able to serve any requests, rather than selectively not reducing the load on the web servers. E. The target groups associated with the ALB are configured for sticky sessions. Explanation: Sticky sessions make the ALB route user requests from the same client to the same target during a session. This might affect the load distribution among the targets but should not prevent CloudFront from serving requests or offloading the server load.
upvoted 1 times
...
...
jipark
Most Recent 8 months, 1 week ago
Selected Answer: BD
why not E : sticky option cannot reduce but not stop all incoming traffics. "requests are still being served by the ALB"
upvoted 1 times
...
eboehm
9 months, 1 week ago
Selected Answer: BD
BD, OAI does not apply to alb, instead you would use custom headers to restrict access https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.html
upvoted 1 times
...
noahsark
10 months, 1 week ago
Selected Answer: BD
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesMinTTL
upvoted 2 times
...
Julio98
11 months ago
A and B
upvoted 1 times
...
Gomer
11 months, 4 weeks ago
I believe "B" is correct. However, I can't decide between "A" or "D" because I know the OAI setting is necessary to enforce users to go through CloudFront. However, the question isn't clearly stating that. The ALB needs to clearly be configured as the Origin. The way they state the question is muddying up the distinction between "Origin" and "Origin Access Identity" which I distinguish as a setting in CloudFront. In regards to "D", as I looked into it, the "TTL" of 0 (zero) only means the edge passes on every request to the origin to see if the object has changed. If not, then the object is not recent. This setting would still impact the origin to some degree, but not anything like if they object were not being cashed at all. Weighing that against the OAI presumably not being enabled (as in "A"), I see not having OAI not being enabled as far more of a problem as users can bypass CloudFront. Now I'm back trying to figure out if "A" is really stating that, or just trying to make a confused statement as a trick response. Appreciate more informed thoughts on this from others.
upvoted 2 times
Gomer
11 months, 1 week ago
I changed my mind on this. As I've better come to understand it, the OAI/OAC are only applicable to S3 as CF origin (not ALB as CF origin). "B" is obvious, and doesn't need much discussion as it could cause CF to be bypassed. In regards to "D", with TTL=0, every request for the object is passed on to the origin to see if the object has changed (or not). That is going to cause unnecessary high utilization on the web server (even if new object is rarely forwarded). As I'm understanding it in my mind, the TTL=0 may be appropriate for individual objects, but not as a general setting for the entire CloudFront distribution (all objects)
upvoted 2 times
Gomer
11 months, 1 week ago
If you set the TTL=0 as a general setting for everything on CloudFront distribution (including objects that don't have a high rate of change), then your going to generate a lot of unnecessary traffic back to the origin and have higher web server utilization than is necessary just saying "no, nothing has changed" over and over. I believe if your going to use TTL=0, it should only be set in metadata for individual objects that have a high rate of change.
upvoted 2 times
...
eboehm
9 months, 1 week ago
I agree with this answer OAI is used with S3 and custom HTTP headers are used for restricting ALB access to only come from CF
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago