What should a solutions architect recommend to accomplish this?
Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF on the NLBs. Create an accelerator using AWS Global Accelerator and register the NLBs as endpoints.
Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Deploy AWS WAF on the ALBs. Create an accelerator using AWS Global Accelerator and register the ALBs as endpoints.
Put the EC2 instances behind Network Load Balancers (NLBs) in each Region. Deploy AWS WAF on the NLBs. Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the NLBs.
Put the EC2 instances behind Application Load Balancers (ALBs) in each Region. Create an Amazon CloudFront distribution with an origin that uses Amazon Route 53 latency-based routing to route requests to the ALBs. Deploy AWS WAF on the CloudFront distribution.
Explanations:
NLBs do not support AWS WAF, which is required to protect against web exploits. Additionally, AWS Global Accelerator requires endpoints that are compatible with application-layer traffic, which NLBs are not.
ALBs support AWS WAF and are suitable for HTTP-based applications. AWS Global Accelerator can improve performance and availability by routing traffic to the nearest ALB, and static IP addresses are supported.
NLBs do not support AWS WAF, which is needed for web exploit protection. CloudFront can distribute traffic, but it is not the best option in combination with NLBs for application-level security and optimization.
While ALBs support AWS WAF and CloudFront is used for distribution, deploying AWS WAF on CloudFront is not the most effective approach for web security in this scenario. AWS WAF should be deployed on the ALB, not CloudFront, for direct application-level protection.