What should the solutions architect recommend to meet this requirement?

By:
In: SAA-C02
Tagged:
With: 2 Comments
A company operates a two-tier application for image processing.The application uses two Availability Zones, each with one public subnet and one private subnet.An Application Load Balancer (ALB) for the web tier uses the public subnets.Amazon EC2 instances for the application tier use the private subnets.Users report that the application is running more slowly than expected.A security audit of the web server log files shows that the application is receiving millions of illegitimate requests from a small number of IP addresses.A solutions architect needs to resolve the immediate performance problem while the company investigates a more permanent solution.

What should the solutions architect recommend to meet this requirement?

Modify the inbound security group for the web tier. Add a deny rule for the IP addresses that are consuming resources.

Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.

Modify the inbound security group for the application tier. Add a deny rule for the IP addresses that are consuming resources.

Modify the network ACL for the application tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.

Explanations:

Modifying the inbound security group for the web tier to add a deny rule will not effectively block illegitimate requests because security groups are stateful and do not support deny rules. They only allow specific traffic. Therefore, legitimate traffic from other IPs may still be affected, and this does not resolve the immediate issue effectively.

Modifying the network ACL for the web tier subnets by adding an inbound deny rule for the specific IP addresses will effectively block all incoming requests from those IPs. Network ACLs are stateless and can explicitly deny traffic, which directly addresses the issue of illegitimate requests affecting performance. This option provides an immediate solution to mitigate the problem.

Modifying the inbound security group for the application tier does not help with the performance issue on the web tier. The application tier resides in private subnets and does not directly receive traffic from the public internet. Therefore, adding a deny rule here will not prevent the illegitimate traffic that is impacting the web tier.

Modifying the network ACL for the application tier subnets will not resolve the performance issues on the web tier since the application tier operates in private subnets and does not handle incoming traffic from the internet. The problem lies with the web tier, and this action would not effectively address the illegitimate requests impacting performance.

2026-03-30

2 Comments

  1. Jerry
    Author

    I calculate that the answer is:
    Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.

  2. Sarah
    Author

    I opine that the answer is:
    Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.

Leave a Reply

Your email address will not be published. Required fields are marked *

nine − eight =