What should a solutions architect do to meet these requirements?
Associate an AWS WAF web ACL with the ALB. Use IP rule sets on the ALB to filter traffic. Update the IP addresses in the rule to include the registered IP addresses.
Deploy AWS Firewall Manager to manage the ALConfigure firewall rules to restrict traffic to the ALModify the firewall rules to include the registered IP addresses.
Store the IP addresses in an Amazon DynamoDB table. Configure an AWS Lambda authorization function on the ALB to validate that incoming requests are from the registered IP addresses.
Configure the network ACL on the subnet that contains the public interface of the ALB. Update the ingress rules on the network ACL with entries for each of the registered IP addresses.
Explanations:
Associating an AWS WAF web ACL with the ALB allows for fine-grained control over incoming traffic. By using IP rule sets, the company can restrict access to only the registered IP addresses of the retail locations, enhancing security effectively.
AWS Firewall Manager is primarily used for managing and deploying firewall rules across multiple accounts and organizational units. While it could be used to manage rules, it does not directly address the need for restricting access based on IP addresses registered by retail locations, making it less suitable for this specific requirement.
While using a Lambda function for authorization can validate IP addresses, this approach adds complexity and may introduce latency. It also requires maintaining a DynamoDB table and involves additional overhead, making it less efficient than the simpler IP filtering methods available directly through the ALB or WAF.
Configuring the network ACL for the subnet containing the ALB could restrict access but is not recommended for this scenario. Network ACLs are stateless and can be more cumbersome to manage with a large number of IP addresses. Additionally, if the IP addresses change, updating the network ACL would require more effort compared to updating a WAF or ALB rules.