Which solutions can the company use to meet these requirements?
(Choose two.)
Create and configure a security group that allows access from the company’s IP address range. Apply the security group to the API Gateway API.
Create and configure a network ACL that allows traffic from the company’s IP address range. Apply the network ACL to the API Gateway API subnet.
Create an AWS WAF web ACL. Configure an IP match rule that allows traffic from the company’s IP address range. Apply the web ACL to the API Gateway API.
Use a condition in the API Gateway resource policy to allow access only from the company’s IP address range.
Create an interface VPC endpoint for the API Gateway execute-api. Instruct testers to use this endpoint.
Explanations:
Security groups are used for controlling inbound and outbound traffic to EC2 instances, not directly applicable to API Gateway, which operates at a higher level of abstraction and does not interact with security groups.
Network ACLs operate at the subnet level and are used for controlling traffic within VPCs. API Gateway does not reside in a subnet where network ACLs can be applied, making this solution infeasible.
AWS WAF (Web Application Firewall) allows you to create rules to filter traffic based on IP addresses. By creating an IP match rule that allows only the company’s IP address range, and associating the WAF Web ACL with the API Gateway, this solution can restrict access.
API Gateway resource policies allow you to specify conditions, such as allowing access from specific IP ranges. A resource policy can be configured to restrict access to only the company’s IP address range, fulfilling the requirement.
While an interface VPC endpoint can be used to restrict API Gateway access to within a VPC, it requires testers to access the service through a specific VPC endpoint, which is not ideal for external testers outside the VPC or network.