Exam ANS-C00 topic 1 question 27 discussion

Answer is B. My reasoning is as follows: There are three components to consider here: ELB, Application Instances, and Amazon RDS. Since company policy requires end-to-end encryption of all data in transit, ideally the encrypted data can go all the way to the database service (RDS) MySQL. However, that is not possible (otherwise this entire question becomes totally meaningless). Having the load balancer handle the SSL termination won't solve the problem as ELB cannot re-encrypt https traffic. As a result, we are only left with the application instances for SSL termination. With MySQL you can opt to connect to the database using an encrypted connection by configuring Amazon RDS for SSL, and use REQUIRE SSL grants. See https://www.laurencegellert.com/2017/08/how-to-require-ssl-when-connecting-to-mysql-on-aws-rds/

Answer is B, ELB cannot re-encrypt https traffic. So working at tcp level and leaving decrypting to App servers solve the problem.

Correct Answer C

Correct Answer B

The answer is B https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/https-tcp-passthrough.html

Configure the ELB protocols in TCP mode. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.

B is the answer because ..here we need to use NLB ( Restful API) and for end to end enrcyption TCP is in ELB and SSL in Servers

B...cannot offload the encryption to ELB. It will decrypt the data in ELB and then encrypt again and send to the servers which does not meet the requirement of E2E encryption

@Johnny_Green gave a perfect explanation why, so I vote for B

2 ssl terminations (user-LB and LB-EC2) do not make sense on a path, instead , passing through LB , terminating on EC2 would give us end-to-end in more practical way, to me it's B

correct answer is B

B is correct, for clarity, we’re referring to CLB not ALB

May be C. ELB have supported re-encrypt from on 30 AUG 2011 --- 1. Terminate SSL on ELB. 2. Re-encrypt traffic on ELB. 3. Terminate SSL on EC2 (deploy self-sign certificate or using private root CA) --- https://aws.amazon.com/blogs/aws/elastic-load-balancer-ssl-support-options/ We’re enhancing this feature to allow you to terminate a request at the load balancer and then re-encrypt it before it is sent to an EC2 instance

B. End to End means from user to ELB then application-RDS will be all-encrypted without taking off security layer (SSL) in the middle. So not offload concept but application SSL termination endpoint.

Deep dived into this. A. Obvious. Nope. Listerner = HTTP. C. ELB listener = HTTPS. SSL/TLS terminated. Connection to App tier RESTful interfaces = can be HTTP sessions. Google restful definition - basic 101 stuff. Not full encryption path. D. ELB with 443 > ELB terminated = fail. Nope. B. ELB TCP Mode. Passthrough traffic. App tier terminates SSL = good. RDS SSL require SSL = connections to RDS require SSL. This is good. This is end to end. The question misses out on some stuff, also the technical accuracy of the text is very generic, dive into RDS world and the language is more nounced. Answer is B. Crappy accuracy of text but its gives enough info to see in basic 101 networking that B is end to end.

A can be a correct answer because it will not provide end-to-end encryption. B seems the correct answer.

why B? I think its A