Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 123 discussion

This issue is solved by SSL offloading, i.e. by moving the SSL termination task to the ALB. https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/

The correct answer is D. To increase the application's performance, the solutions architect should import the SSL certificate into AWS Certificate Manager (ACM) and create an Application Load Balancer with an HTTPS listener that uses the SSL certificate from ACM. An Application Load Balancer (ALB) can offload the SSL termination process from the EC2 instances, which can help to increase the compute capacity available for the web application. By creating an ALB with an HTTPS listener and using the SSL certificate from ACM, the ALB can handle the SSL termination process, leaving the EC2 instances free to focus on running the web application.

Ans D - well explained by Buruguduystunstugudunstuy (1yr, 8mth): "To increase the application's performance, the solutions architect should import the SSL certificate into AWS Certificate Manager (ACM) and create an Application Load Balancer with an HTTPS listener that uses the SSL certificate from ACM. An Application Load Balancer (ALB) can offload the SSL termination process from the EC2 instances, which can help to increase the compute capacity available for the web application. By creating an ALB with an HTTPS listener and using the SSL certificate from ACM, the ALB can handle the SSL termination process, leaving the EC2 instances free to focus on running the web application."

D is the correct answer.

This issue is solved by SSL offloading, i.e. by moving the SSL termination task to the ALB. https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination

The key reasons are: Using an Application Load Balancer with an HTTPS listener allows SSL termination to happen at the load balancer layer. The EC2 instances behind the load balancer receive only unencrypted traffic, reducing load on them. Importing the custom SSL certificate into ACM allows the ALB to use it for HTTPS listeners. This removes the need to install and manage SSL certificates on each EC2 instance. ALB handles the SSL overhead and scales automatically. The EC2 fleet focuses on app logic. Options A, B, C don't offload SSL overhead from the EC2 instances themselves.

By using ACM to manage the SSL certificate and configuring an ALB with HTTPS listener, the SSL termination will be handled by the load balancer instead of the web servers. This offloading of SSL processing to the ALB reduces the compute capacity burden on the web servers and improves their performance by allowing them to focus on serving the dynamic web application. Option A suggests creating a new SSL certificate using ACM, but it does not address the SSL termination offloading and load balancing capabilities provided by an ALB. Option B suggests migrating the SSL certificate to an S3 bucket, but this approach does not provide the necessary SSL termination and load balancing functionalities. Option C suggests creating another EC2 instance as a proxy server, but this adds unnecessary complexity and management overhead without leveraging the benefits of ALB's built-in load balancing and SSL termination capabilities. Therefore, option D is the most suitable choice to increase the application's performance in this scenario.

Why is A wrong?

SSL termination is the process of ending an SSL/TLS connection. This is typically done by a device, such as a load balancer or a reverse proxy, that is positioned in front of one or more web servers. The device decrypts incoming SSL/TLS traffic and then forwards the unencrypted request to the web server. This allows the web server to process the request without the overhead of decrypting and encrypting the traffic. The device then re-encrypts the response from the web server and sends it back to the client. This allows the device to offload the SSL/TLS processing from the web servers and also allows for features such as SSL offloading, SSL bridging, and SSL acceleration.

Option D to offload the SSL encryption workload

Due to this statement particularly: "The company has its own SSL certificate" as it's not created from AWS ACM itself.

D is correct

agree with D