exam questions

Exam AWS Certified Solutions Architect - Professional All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional exam

Exam AWS Certified Solutions Architect - Professional topic 1 question 872 discussion

A company wants to deploy an API to AWS. The company plans to run the API on AWS Fargate behind a load balancer. The API requires the use of header- based routing and must be accessible from on-premises networks through an AWS Direct Connect connection and a private VIF.
The company needs to add the client IP addresses that connect to the API to an allow list in AWS. The company also needs to add the IP addresses of the API to the allow list. The company's security team will allow /27 CIDR ranges to be added to the allow list. The solution must minimize complexity and operational overhead.
Which solution will meet these requirements?

  • A. Create a new Network Load Balancer (NLB) in the same subnets as the Fargate task deployments. Create a security group that includes only the client IP addresses that need access to the API. Attach the new security group to the Fargate tasks. Provide the security team with the NLB's IP addresses for the allow list.
  • B. Create two new /27 subnets. Create a new Application Load Balancer (ALB) that extends across the new subnets. Create a security group that includes only the client IP addresses that need access to the API. Attach the security group to the ALB, Provide the security team with the new subnet IP ranges for the allow list.
  • C. Create two new /27 subnets. Create a new Network Load Balancer (NLB) that extends across the new subnets. Create a new Application Load Balancer (ALB) within the new subnets. Create a security group that includes only the client IP addresses that need access to the API. Attach the security group to the ALB. Add the ALB's IP addresses as targets behind the NLB. Provide the security team with the NLB's IP addresses for the allow list.
  • D. Create a new Application Load Balancer (ALB) in the same subnets as the Fargate task deployments. Create a security group that includes only the client IP addresses that need access to the API. Attach the security group to the ALB. Provide the security team with the ALB's IP addresses for the allow list.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
sb333
Highly Voted 2 years, 2 months ago
Selected Answer: B
Since the security group will permit /27 CIDR ranges to be added to the allow list, we do not need to know what the actual IPs are of the ALBs (as they are dynamic). ALB is required as it operates at L7, needed for head-based routing.
upvoted 13 times
MikelH93
1 year, 6 months ago
The company must also add the API IP addresses to the authorization list so the ALB ip must not be dynamic.
upvoted 1 times
...
...
dcdcdc3
Highly Voted 2 years, 2 months ago
Selected Answer: C
Thank you all for tips. This link shows C is the solution for the specified requirements: https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/
upvoted 7 times
vn_thanhtung
1 year, 3 months ago
Add the ALB's IP addresses as targets behind the NLB, it smells
upvoted 1 times
...
...
rbm2023
Most Recent 1 year, 6 months ago
Selected Answer: B
You can eliminate C because of NLB, it wont support the header based routing.
upvoted 3 times
...
Jesuisleon
1 year, 6 months ago
Selected Answer: C
C is right. You need NLB to be public-facing with a static ip address which is required by the company's allow list. see this link: https://repost.aws/knowledge-center/alb-static-ip "If your Application Load Balancer requires a static IP address, then it's a best practice to register it behind a Network Load Balancer. " Remember always follows the AWS best practices if you want to succeed in your exam.
upvoted 1 times
...
hobokabobo
1 year, 8 months ago
Selected Answer: B
It says "Security team allow /27". Thats the security requirement we need to fullfill no more. We need an ALB for better filters and not an NLB. Stacking NLB in front of ALB is possible but not necessary to fullfill the requirement. So we can go with straight forward ALB in front of fargate and give the sec team the range. The other solution that has ALB in the same range as fargate would allow to bypass filtering.
upvoted 1 times
...
evargasbrz
1 year, 11 months ago
Selected Answer: B
I'll go with B I don't know if the answer C is right, where this link: https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/ uses ALB's name as targets behind of NLB and not ALB's IPs, so the only right answer is B.
upvoted 1 times
evargasbrz
1 year, 11 months ago
Another important thing is this text: "The solution must minimize complexity and operational overhead."
upvoted 1 times
...
...
sjpd10
2 years, 1 month ago
C. NLB --> ALB ( SG with client IPs ) -->Subnets ( /27 )
upvoted 1 times
...
exam_war
2 years, 1 month ago
Selected Answer: C
NLB + ALB
upvoted 2 times
...
nsvijay04b1
2 years, 1 month ago
You need NLB to provide static IP to company and put 2 ALBs in 2 subnet /27 path /route forwarding to application. a) NLB - its layer 4 , cant path forward b) you cant get IPs for ALBs to provide it to allow list c) NLB to give IP to allow list and put 2 ALBs to path forward to application - CORRECT answer d) ALB cant provide IP, plus in app subnet doesnt help to be in /27 rules
upvoted 2 times
Byrney
2 years ago
ALBs will be given private IP addresses in the /27 CIDR blocks.
upvoted 1 times
...
...
fdoxxx
2 years, 1 month ago
Selected Answer: B
B - "Posted On: Mar 27, 2019 Application Load Balancers now support request routing based on standard or custom HTTP headers and methods, query parameters, and source IP addresses. This launch extends the existing support for Host header and path-based routing rules in Application Load Balancers to more fields from HTTP request messages. This richer set of routing criteria enables you to further simplify your application architecture by offloading routing functionality to the load balancer. It can also be used to block unwanted traffic at the load balancer."
upvoted 1 times
...
skywalker
2 years, 1 month ago
Selected Answer: C
C Make us of NLB static IP to allow security team to whitelist
upvoted 4 times
...
[Removed]
2 years, 1 month ago
Selected Answer: B
Header-based routing - require ALB ALB's IP are dynamic - need to put the CIDR range in the allow list
upvoted 5 times
...
pinhead900
2 years, 2 months ago
Selected Answer: C
NLB for static ip, then load balance it to ALB
upvoted 4 times
...
phuongntb
2 years, 2 months ago
D. Sine ALB does not provided static ip but in this case we need abl for header routing. NLB forward traffic to ALB is a good solution in this case
upvoted 2 times
phuongntb
2 years, 2 months ago
i mean c.
upvoted 4 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...