ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 121 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 121
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A financial company is planning to migrate its web application from on premises to AWS. The company uses a third-party security tool to monitor the inbound traffic to the application. The company has used the security tool for the last 15 years, and the tool has no cloud solutions available from its vendor. The company's security team is concerned about how to integrate the security tool with AWS technology.

The company plans to deploy the application migration to AWS on Amazon EC2 instances. The EC2 instances will run in an Auto Scaling group in a dedicated VPC. The company needs to use the security tool to inspect all packets that come in and out of the VPC. This inspection must occur in real time and must not affect the application's performance. A solutions architect must design a target architecture on AWS that is highly available within an AWS Region.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Deploy the security tool on EC2 instances m a new Auto Scaling group in the existing VPC
  • B. Deploy the web application behind a Network Load Balancer
  • C. Deploy an Application Load Balancer in front of the security tool instances
  • D. Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool
  • E. Provision a transit gateway to facilitate communication between VPCs.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by zhangyu20000 at Jan. 16, 2023, 2:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
rbm2023
Highly Voted 2 years, 2 months ago
Selected Answer: DE
Based on the scenario in question, the requirement is that the security tool will run in an auto scaling group in a dedicated VPC this cannot be changed. This will break Option A. If we look at the usage for the Gateway Load Balancer which is the key for the solution where application cannot have performance hits if you are inspecting the traffic, so you need to TAP the traffic to move into another third-party tool. In the references you will find below the transit gateway will facilitate the VPC-to-VPC communication and as you can see, the security appliances VPC is a segregated from the application VPC, so again, option A is NOT valid. https://catalog.workshops.aws/networking/en-US/gwlb https://www.fortinet.com/blog/business-and-technology/highly-scalable-fortigate-next-generation-firewall-security-on-aws-gateway-load-balancer-service
upvoted 24 times
...
OCHT
Highly Voted 2 years, 3 months ago
Selected Answer: AD
Option B, deploying the web application behind a Network Load Balancer, is not relevant to integrating the third-party security tool with AWS technology. Option C, deploying an Application Load Balancer in front of the security tool instances, is not necessary because a Gateway Load Balancer is already being used to redirect traffic to the security tool. Option E, provisioning a transit gateway to facilitate communication between VPCs, is not relevant to integrating the third-party security tool with AWS technology or inspecting packets in and out of the VPC. In summary, options A and D are the best choices because address the specific requirements stated in the scenario while options B, C and E do not.
upvoted 22 times
43c89f4
1 year, 2 months ago
DE is correct, the question clearly mention which combination - GWLB and provision transit gateway is solution
upvoted 3 times
...
deegadaze1
2 years, 1 month ago
Correct for GLB---> https://www.youtube.com/watch?v=-j2smz_VCH4
upvoted 2 times
...
...
Kaps443
Most Recent 1 month, 1 week ago
Selected Answer: AD
A. Deploy the security tool on EC2 instances Since the tool is legacy and has no cloud-native support, it must run on EC2 instances. An Auto Scaling group helps maintain availability and resilience. Placing the tool in the same VPC allows for easy traffic routing via a Gateway Load Balancer. D. Provision a Gateway Load Balancer (GWLB) per AZ Gateway Load Balancer is designed specifically for this use case: deploying virtual appliances (like firewalls, IDS/IPS, and packet inspection tools). It redirects VPC traffic to your EC2-based security tool instances for inline, transparent inspection, without affecting the app performance.
upvoted 1 times
...
jimee11
2 months, 1 week ago
Selected Answer: AD
Requirements clearly call out the 'web application' vs. 'security tool'. The web application is not going to be deployed behind an NLB. This rules out B. Requirements say you need scalability. Deploy the security tool behind an ALB with auto-scaling (A). Gateway LB is best for deep packet inspections (D).
upvoted 1 times
...
kylix75
5 months, 3 weeks ago
Selected Answer: BD
Correct answers: B and D Rationale: B (Network Load Balancer): - Operates at layer 4 - Minimal latency impact - Supports transparent network inspection D (Gateway Load Balancer): - Purpose-built for third-party security appliances - Enables inline traffic inspection - High availability with per-AZ deployment Other options' issues: A: Doesn't address traffic routing C: ALB operates at layer 7, adding unnecessary overhead E: Transit gateway unnecessary for single VPC setup
upvoted 1 times
...
ahhatem
7 months, 1 week ago
Selected Answer: DE
The question explicitly states that it would be deployed in a dedicated VPC. This disqualifies A. On another hand, dedicated security appliances are usually deployed in a centralized networking setup with central ingress/egress. Check this whitepaper: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/using-gwlb-with-tg-for-cns.html
upvoted 1 times
...
Edd_18
7 months, 4 weeks ago
Selected Answer: DE
https://www.fortinet.com/blog/business-and-technology/highly-scalable-fortigate-next-generation-firewall-security-on-aws-gateway-load-balancer-service
upvoted 2 times
...
FZA24
9 months, 1 week ago
Selected Answer: AD
In AD, it mention that will be deployed in the existing VPC. however, in DE, it does not mention that the security tool is deployed in another VPC. It only mention transit gateway between VPCs.
upvoted 2 times
...
AWSum1
9 months, 2 weeks ago
Selected Answer: AD
it says it needs to inspect traffic coming in and out of THE VPC not multiple VPC's. This statement disqualifies E
upvoted 3 times
...
amministrazione
10 months, 2 weeks ago
A. Deploy the security tool on EC2 instances m a new Auto Scaling group in the existing VPC D. Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool
upvoted 1 times
...
ry1999
10 months, 3 weeks ago
Selected Answer: AD
D and E make the most sense if your architecture involves multiple VPCs where traffic needs to be centrally managed and inspected. This combination addresses both the direct need for packet inspection and the broader network management requirements. A and E could be considered if the application and security tool deployment are straightforward and confined to a single or connected VPCs. However, managing traffic flow effectively to the security tools might require additional configuration that can complicate the setup. Since there is only once VPC, AD
upvoted 3 times
...
Jason666888
11 months, 2 weeks ago
Selected Answer: AD
It has to be AD. I've taken the Udemy Course from stephane maarek and his course described this kind of scenario
upvoted 5 times
...
seochan
11 months, 2 weeks ago
Selected Answer: AD
DE cannot be the answer. The combination doesn't describe how to deploy the security tools on the cloud.
upvoted 2 times
...
michele_scar
1 year, 1 month ago
Selected Answer: DE
DE is the answer. Transit -> GWLB -> Inspection tool
upvoted 1 times
helloworldabc
10 months, 3 weeks ago
just AD
upvoted 1 times
...
...
ce825d4
1 year, 1 month ago
Selected Answer: AD
AD is correct as the requirement is to use the Security tool to inspect traffic coming in and out of the VPC. So, you need to deploy the security tool on EC2 instances and provision a Gateway loadbalancer to load balance the traffic. With a GLB, you can deploy, manage, and scale virtual appliances, such as intrusion detection and prevention, firewalls, and deep packet inspection systems. It creates a single entry and exit point for all appliance traffic and scales your virtual appliances with demand. You can also exchange traffic across virtual private cloud (VPC) boundaries.
upvoted 2 times
...
seetpt
1 year, 2 months ago
Selected Answer: AD
AD for me
upvoted 2 times
...
red_panda
1 year, 2 months ago
Selected Answer: DE
DE without doubts guys. GLB is just for this reason. Deploy the security tool into another ASG will only increase the cost and it's crazy, the performance isn't the same as the GLB (which operates at Lv. 3 of networking).
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel