Which solution meets these requirements?
Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall. Configure domain list rule groups.
Set up an AWS WAF web ACL. Create a custom set of rules that filter traffic requests based on source and destination IP address range sets.
Implement strict inbound security group rules. Configure an outbound rule that allows traffic only to the authorized software repositories on the internet by specifying the URLs.
Configure an Application Load Balancer (ALB) in front of the EC2 instances. Direct all outbound traffic to the ALB. Use a URL-based rule listener in the ALB’s target group for outbound access to the internet.
Explanations:
Updating the route table to route outbound traffic through an AWS Network Firewall allows for granular control over internet access. By configuring domain list rule groups, the VPC can be set to only allow traffic to approved third-party software repositories while blocking all other internet traffic. This meets the requirement of restricting access to specific URLs.
AWS WAF is designed for filtering incoming traffic to web applications, not for controlling outbound traffic from EC2 instances. Additionally, it operates at the application layer, making it unsuitable for this specific requirement of allowing outbound access only to certain approved URLs.
While configuring strict inbound security group rules is important for controlling access to EC2 instances, security groups do not support URL filtering for outbound rules. They can only filter based on IP addresses and ports, meaning it wouldn’t effectively restrict traffic to specified software repositories using their URLs.
An Application Load Balancer (ALB) is designed for incoming traffic management and would not be suitable for directing outbound traffic from EC2 instances. Moreover, ALBs do not support URL-based filtering for outbound traffic; they are primarily focused on managing incoming requests to web applications. This option does not fulfill the requirement of restricting internet access effectively.