Exam AWS-SysOps topic 1 question 318 discussion

B & C https://jayendrapatil.com/aws-virtual-private-cloud-vpc/ not A - web server is behind the ELB and customer IPs will never reach web servers) B - configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header (get the customer IPs and create a custom filter to restrict access. Refer link) C - configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic (ELB will see the customer IPs so can restrict access, deny all is basically have no rules in outbound traffic, implicit, and its stateful so would work) not D - configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic (NACL is stateless, deny all will not work)

i'd go with A&B C&D mention deny all outbound traffic so results from web server would not be going out to client IP

Why would outgoing traffic matter? C doesn't seem right to me.

Correct Answers: B & C

Only B is correct

Answer A&B is correct. The ELB Xforwarded option will expose an IP addr of the customer to the VM, so that will be restricted to the trusted network on SG. Using this only allowed IPs can access the application.

https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html#x-forwarded-for - "The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer." I think this seals it, A and B are the right options.

A is not right. When did VPC have security group. Its BC

B and D are the correct ans. There is ELB in front of the EC2 so security group of EC2 doesnt help.