Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 19 discussion

Answer is D . Use Gateway Load balancer

It's D, Coz.. Gateway Load Balancer is a new type of load balancer that operates at layer 3 of the OSI model and is built on Hyperplane, which is capable of handling several thousands of connections per second. Gateway Load Balancer endpoints are configured in spoke VPCs originating or receiving traffic from the Internet. This architecture allows you to perform inline inspection of traffic from multiple spoke VPCs in a simplified and scalable fashion while still centralizing your virtual appliances.

3rd Party Virtual Appliances ---> Gateway Loadbalancer

we're able to load balance some of the incoming traffic through to those virtual appliances where they can perform some kind of inspection. - Used in front of virtual appliances such as: - firewalls, - IDS: intrusion detection systems - IPS: intrusion prevention systems - DPI: deep packet inspection systems - Operates at Layer 3 – listens for all packets on all ports - Forwards traffic to the TG specified in the listener rules - GLB and virtual appliances Exchanges traffic using the GENEVE protocol on port 6081

The answer is D for some obvious reasons: - Low operational overhead. - Integrate AWS Marketplace and third-party application. I think the question will be much more interesting if the author add another option like using VPC-to-VPC traffic inspection because the question asked traffic to be inspected before it reaches application layer so traffic forwarding is also a feasible solution.

The solution that will meet these requirements with the least operational overhead is D: Deploy a Gateway Load Balancer in the inspection VPC and create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance. A Gateway Load Balancer is a fully managed service that provides a single point of contact for clients and distributes incoming traffic across multiple targets, such as Amazon Elastic Compute Cloud (EC2) instances and containers, in one or more virtual private clouds (VPCs). You can deploy a Gateway Load Balancer in the inspection VPC and create a Gateway Load Balancer endpoint to receive the incoming packets from the web servers in the application's VPC and forward the packets to the appliance for packet inspection. This will allow you to inspect all traffic to the web application with minimal operational overhead.

D. Deploy a Gateway Load Balancer in the inspection VPC. Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance. A Gateway Load Balancer can inspect traffic before forwarding it to a virtual appliance for additional processing. The solution will not require changing the existing architecture and will have the least amount of operational overhead. The appliance can be configured with a specific IP interface to accept IP packets. The Gateway Load Balancer can be configured with an endpoint to route incoming packets to the appliance. The solution ensures all traffic to the web application is inspected before it reaches the web server.

Keywords:Third-party virtual firewall appliance from AWS Marketplace in an inspection VPC -> only Gateway Load Balancer support it A: Incorrect - Network Load Balancer don't support to route traffic to third-party virtual firewall appliance. B: Incorrect - Application Load Balancer don't support to route traffic to third-party virtual firewall appliance. C: Incorrect - Transit Gateway is use as connect center to connect all VPC, Direct Connect Gateway and VPN Connection. Routes Tables in Trasit Gateway only limit which VPC can talk to other VPCs. D: Correct - Gateway Load Balancer support route traffic to third-party virtual firewall appliance in layer 3 that make it different from ALB and NLB.

In the scenario described, the web servers, application servers, and database servers are all located within the same VPC. Therefore, a Gateway Load Balancer may not be the most suitable choice for load balancing traffic between them. Instead, an Application Load Balancer (ALB) would be a better option as it operates at Layer 7 and can inspect traffic at the application layer. This would allow the virtual firewall to inspect traffic before it reaches the web servers, which is the requirement specified in the scenario. Overall, while a Gateway Load Balancer can be useful in certain scenarios, it is not the best choice for this particular use case. An Application Load Balancer is a better option as it provides the necessary features to integrate the web application with the virtual firewall appliance and inspect all traffic before it reaches the web server.

Here's why Traffic enters the service consumer VPC through the internet gateway. Traffic is sent to the Gateway Load Balancer endpoint, as a result of ingress routing. Traffic is sent to the Gateway Load Balancer for inspection through the security appliance. Traffic is sent back to the Gateway Load Balancer endpoint after inspection. Traffic is sent to the application servers (destination subnet). https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/getting-started.html But I ain't completely sure about the least operational overhead.

This is the answer of ChatGpt: Option B is the correct solution because the ALB can be used to redirect traffic to the virtual firewall appliance without requiring any changes to the backend application servers. The ALB can also be configured to send traffic to multiple targets, allowing the architect to perform high availability and load balancing. This solution is easy to implement and manage and does not require any additional components such as transit gateways or gateway load balancers. Option D is not the optimal solution since Gateway Load Balancer (GWLB) is intended for use with virtual appliances in the cloud, such as firewalls and intrusion prevention systems. However, it adds operational overhead since creating and managing a Gateway Load Balancer requires several components, including an endpoint group and listener.

A. Create a Network Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection. By creating a Network Load Balancer (NLB) in the public subnet, you can configure it to forward incoming traffic to the virtual firewall appliance for inspection. The NLB operates at the transport layer (Layer 4) and can distribute traffic across multiple instances, including the firewall appliance. This allows you to scale the inspection capacity if needed. The NLB can be associated with a target group that includes the IP address of the firewall appliance, directing traffic to it before reaching the web servers. Option B (Application Load Balancer) is not suitable for this scenario as it operates at the application layer (Layer 7) and does not provide direct access to the IP packets for inspection. Option C (Transit Gateway) and option D (Gateway Load Balancer) introduce additional complexity and overhead compared to using an NLB. They are not necessary for achieving the requirement of inspecting traffic to the web application before reaching the web servers.

The correct answer is D. Here is the explanation: Option D is correct because a Gateway Load Balancer (GWLB) is a global service, and it can be deployed in any VPC. This means that the GWLB can reach the appliance. Additionally, the GWLB can be configured to forward packets to the appliance for packet inspection. Option A is incorrect because a Network Load Balancer (NLB) is a regional service, and the appliance is deployed in an inspection VPC. This means that the NLB would not be able to reach the appliance. Option B is incorrect because an Application Load Balancer (ALB) is a regional service, and the appliance is deployed in an inspection VPC. This means that the ALB would not be able to reach the appliance. Option C is incorrect because a transit gateway is a global service, and the appliance is deployed in an inspection VPC. This means that the transit gateway would not be able to reach the appliance.

Gateway Load Balancer (GWLB): GWLB is designed for deploying third-party appliances and provides a scalable and easy way to route traffic through appliances. It operates at the network layer and can handle both TCP and UDP traffic. Operational Overhead: Deploying a GWLB in the inspection VPC and creating an endpoint involves less operational overhead compared to managing Load Balancers in the application's VPC. It allows for centralized management of the inspection process. This solution ensures that all traffic is routed through the Gateway Load Balancer for inspection before reaching the web servers, providing a scalable and efficient way to integrate the third-party virtual firewall appliance

A and B are wrong, as they don' t support cross-VPC traffic routing Option C -transit gateway attached to VPC,updating route table and configure security groups and network ACLs can accomplish the task. Meanwhile, Gateway load balancer is designed meant for routing traffic across VPC, but itself alone does not work. All effort mentioned is C are still required. So this is not the least effort?

Ans B – (a) because it’s at the right level, ie. application level packet inspection; (b) it states “packet inspection” and fulfils the conditions: -“LEAST operational overhead” -“…to inspect all traffic to the application before the traffic reaches the web” GLB won’t do it – because it states “receive the incoming packets and forward the packets to the appliance” – ie. NO inspection: the application gets the packet (good or bad!).

D : Gateway Load balancer : use when you have virtual appliances like IDP/IPS(instruction detection, prevention system.. ) & Firewall etc