Which solution will meet these requirements?
Configure a route in a route table to direct traffic from the internet to the private IP addresses of the EC2 instances.
Configure the security group for the EC2 instances to only allow traffic that comes from the security group for the ALB.
Move the EC2 instances into the public subnet. Give the EC2 instances a set of Elastic IP addresses.
Configure the security group for the ALB to allow any TCP traffic on any port.
Explanations:
Configuring a route to direct internet traffic to private IP addresses of EC2 instances would expose the instances directly to the internet, which contradicts the requirement of restricting inbound traffic.
Configuring the security group for the EC2 instances to only allow traffic from the security group associated with the ALB effectively restricts access to the instances, ensuring that only the ALB can send traffic to them, thereby enhancing security.
Moving the EC2 instances to a public subnet and assigning Elastic IP addresses would expose the instances to the internet, which violates the requirement of preventing access from sources outside the private subnet.
Allowing any TCP traffic on any port for the ALB’s security group would not restrict the inbound traffic to only that from the ALB, which could allow unwanted access from other sources.
As I see it, the answer is:
Configure the security group for the EC2 instances to only allow traffic that comes from the security group for the ALB.
It seems to me that the answer is:
Configure the security group for the EC2 instances to only allow traffic that comes from the security group for the ALB.