Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
Mail Us [email protected]
Menu

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
Amazon Discussions

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 121 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 121
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A financial company is planning to migrate its web application from on premises to AWS. The company uses a third-party security tool to monitor the inbound traffic to the application. The company has used the security tool for the last 15 years, and the tool has no cloud solutions available from its vendor. The company's security team is concerned about how to integrate the security tool with AWS technology.

The company plans to deploy the application migration to AWS on Amazon EC2 instances. The EC2 instances will run in an Auto Scaling group in a dedicated VPC. The company needs to use the security tool to inspect all packets that come in and out of the VPC. This inspection must occur in real time and must not affect the application's performance. A solutions architect must design a target architecture on AWS that is highly available within an AWS Region.

Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Deploy the security tool on EC2 instances m a new Auto Scaling group in the existing VPC
  • B. Deploy the web application behind a Network Load Balancer
  • C. Deploy an Application Load Balancer in front of the security tool instances
  • D. Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool
  • E. Provision a transit gateway to facilitate communication between VPCs.
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by zhangyu20000 at Jan. 16, 2023, 2:12 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Submit Cancel
OCHT
Highly Voted 1 year, 1 month ago
Selected Answer: AD
Option B, deploying the web application behind a Network Load Balancer, is not relevant to integrating the third-party security tool with AWS technology. Option C, deploying an Application Load Balancer in front of the security tool instances, is not necessary because a Gateway Load Balancer is already being used to redirect traffic to the security tool. Option E, provisioning a transit gateway to facilitate communication between VPCs, is not relevant to integrating the third-party security tool with AWS technology or inspecting packets in and out of the VPC. In summary, options A and D are the best choices because address the specific requirements stated in the scenario while options B, C and E do not.
upvoted 19 times
43c89f4
2 weeks, 3 days ago
DE is correct, the question clearly mention which combination - GWLB and provision transit gateway is solution
upvoted 1 times
...
deegadaze1
11 months, 4 weeks ago
Correct for GLB---> https://www.youtube.com/watch?v=-j2smz_VCH4
upvoted 2 times
...
...
rbm2023
Highly Voted 12 months ago
Selected Answer: DE
Based on the scenario in question, the requirement is that the security tool will run in an auto scaling group in a dedicated VPC this cannot be changed. This will break Option A. If we look at the usage for the Gateway Load Balancer which is the key for the solution where application cannot have performance hits if you are inspecting the traffic, so you need to TAP the traffic to move into another third-party tool. In the references you will find below the transit gateway will facilitate the VPC-to-VPC communication and as you can see, the security appliances VPC is a segregated from the application VPC, so again, option A is NOT valid. https://catalog.workshops.aws/networking/en-US/gwlb https://www.fortinet.com/blog/business-and-technology/highly-scalable-fortigate-next-generation-firewall-security-on-aws-gateway-load-balancer-service
upvoted 18 times
...
seetpt
Most Recent 1 week, 6 days ago
Selected Answer: AD
AD for me
upvoted 1 times
...
red_panda
2 weeks, 6 days ago
Selected Answer: DE
DE without doubts guys. GLB is just for this reason. Deploy the security tool into another ASG will only increase the cost and it's crazy, the performance isn't the same as the GLB (which operates at Lv. 3 of networking).
upvoted 2 times
...
teo2157
3 weeks ago
Selected Answer: DE
Based on MRamos comment
upvoted 2 times
...
failexamonly
1 month, 3 weeks ago
Selected Answer: DE
Not A. A does not make sense for D
upvoted 2 times
...
gofavad926
2 months ago
Selected Answer: AD
AD - ec2 + asg + gateway load balancer
upvoted 3 times
...
djeong95
2 months, 1 week ago
Selected Answer: DE
I answered AD and searched through these comments' links to seek to understand. First, the most convincing case is that as @rbm2023 answered, it is not pattern to put security tool in the existing VPC. The financial company in the question is also looking to only have their application migrate into a dedicated VPC. Second, solution A sounds good and according to this link below, you can use ASG with GWLB. I think key is the fine print of Customer wanting their own dedicated VPC and the pattern of using TWG in front. (However, it is possible to do without) https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-network-traffic-inspection-using-aws-gateway-load-balancer/
upvoted 2 times
...
yog927
2 months, 2 weeks ago
Selected Answer: DE
D and E Read the question, it says dedicated VPC
upvoted 2 times
...
VerRi
2 months, 2 weeks ago
Selected Answer: AD
Try not to over-interpret the given options. Only D and E won't work because the security tool has not been settled down yet.
upvoted 3 times
...
chelbsik
3 months, 1 week ago
Selected Answer: DE
Vote for DE, agreed about 15 years old security tool might not be able to support autoscaling, and it has to be in a dedicated VPC, according to the task Forgot to vote
upvoted 2 times
...
chelbsik
3 months, 1 week ago
Vote for DE, agreed about 15 years old security tool might not be able to support autoscaling, and it has to be in a dedicated VPC, according to the task
upvoted 1 times
...
AWSLord32
3 months, 2 weeks ago
Selected Answer: DE
A is not valid as the web application needs to be in a dedicated VPC. Also the security app is 15 years old and likely doesn't support autoscaling natively. DE is best practice.
upvoted 3 times
...
jpa8300
4 months, 1 week ago
Selected Answer: DE
I agree with what has been said about D and E option. A could be right, but a better architecture would be to put the security tool in its own VPC, not only for this web application, but also to use to other apps where you want to use the security tool.
upvoted 2 times
...
career360guru
4 months, 3 weeks ago
Selected Answer: AD
A and D are the right options. It clearly says security tool has no cloud offering so it needs to run on separate EC2 instance. There is no need to run it on a different VPC and GWLB will take care of mirror and traffic to this security tool so it will not affect the application performance.
upvoted 3 times
...
HappyPrince
4 months, 3 weeks ago
Selected Answer: AD
As the tool must not impact performance of the application, installing it in separate ASG makes sense.
upvoted 3 times
...
atirado
5 months ago
Selected Answer: DE
There are two main requirements to look after: The web application will be deployed in a dedicated VPC : This means that the security monitoring tool must be deployed outside of the web application's VPC, i.e. another VPC. Security monitoring must not affect the performance of the web application : should be straightforward. The natural fit is to use a Gateway Load Balancer. However, where it gets a bit tricky is to choose either between Option A or Option D: Put the security tool's EC2 instances in an Auto Scaling Group or connect the VPCs using a transit gateway. Option D ensures traffic will reach the security tool for inspection. The wording in Option A seems off ('Existing VPC'). But in any case, the whitepaper "Building a Scalable and Secure Multi-VPC AWS Network Infrastructure" provides the answer at https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/welcome.html
upvoted 2 times
...
Load full discussion...

Get IT Certification

Unlock free, top-quality video courses on ExamTopics with a simple registration. Elevate your learning journey with our expertly curated content. Register now to access a diverse range of educational resources designed for your success. Start learning today with ExamTopics!

Start Learning for free
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel