What combination of steps could a Solutions Architect take to protect a web workload running on Amazon EC2 from DDoS and application layer attacks?
(Choose two.)
Put the EC2 instances behind a Network Load Balancer and configure AWS WAF on it.
Migrate the DNS to Amazon Route 53 and use AWS Shield.
Put the EC2 instances in an Auto Scaling group and configure AWS WAF on it.
Create and use an Amazon CloudFront distribution and configure AWS WAF on it.
Create and use an internet gateway in the VPC and use AWS Shield.
Explanations:
Putting EC2 instances behind a Network Load Balancer (NLB) does not directly provide DDoS protection. NLB is for distributing traffic but does not have built-in DDoS protection or WAF functionality. AWS WAF works with an Application Load Balancer (ALB) or Amazon CloudFront, not NLB.
Migrating DNS to Amazon Route 53 improves DNS resolution and is integrated with AWS Shield for DDoS protection. AWS Shield provides protection against DDoS attacks, and Route 53 offers high availability and scalability.
Placing EC2 instances in an Auto Scaling group helps with scalability and fault tolerance but does not directly address DDoS or application layer attacks. While AWS WAF can be used with ALB, it is not directly related to EC2 Auto Scaling itself.
Using Amazon CloudFront (CDN) helps mitigate DDoS and application layer attacks by caching content and distributing traffic. Configuring AWS WAF on CloudFront adds an additional layer of protection against malicious traffic and attacks.
An internet gateway in a VPC does not provide DDoS protection. It simply enables internet connectivity for resources in the VPC. AWS Shield is separate from the internet gateway and requires integration with services like Route 53, CloudFront, or ALB for protection.