Which solution meets these requirements?
Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create an Amazon CloudFront distribution that uses the ALB as its origin. Create appropriate AWS WAF ACLs and enable them on the CloudFront distribution.
Create an Application Load Balancer (ALB) that uses public subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
Create an Application Load Balancer (ALB) that uses private subnets across multiple Availability Zones within a single Region. Point the ALB to an Auto Scaling group with Amazon EC2 instances in private subnets across multiple Availability Zones within the same Region. Create appropriate AWS WAF ACLs and enable them on the ALB.
Explanations:
This option implements a two-tier architecture with a public Application Load Balancer (ALB) in front of private EC2 instances, enabling the ALB to handle incoming traffic and mitigate DDoS attacks. The integration with CloudFront allows for additional caching and content delivery optimization, while AWS WAF can be used to create rules to prevent common attacks such as cross-site scripting and SQL injection.
Using private subnets for the Application Load Balancer (ALB) is incorrect because ALBs must be in public subnets to receive traffic from the internet. This configuration would prevent external users from accessing the application. Although it allows for a secure backend, it fails to meet the requirement of a global latency-sensitive web application accessible to users.
While this option correctly places the ALB in public subnets and the EC2 instances in private subnets, it does not mention the use of CloudFront. CloudFront provides enhanced performance and additional security features such as DDoS protection. Additionally, the WAF is applied to CloudFront in option A, which provides better security posture than just applying it to the ALB directly.
Similar to option B, this option incorrectly uses private subnets for the ALB. An ALB must be placed in public subnets to properly handle incoming traffic from the internet. While it does mention AWS WAF for protecting against attacks, the architecture is fundamentally flawed by not exposing the ALB to external traffic.