What should the solutions architect recommend to meet this requirement?
Modify the inbound security group for the web tier. Add a deny rule for the IP addresses that are consuming resources.
Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.
Modify the inbound security group for the application tier. Add a deny rule for the IP addresses that are consuming resources.
Modify the network ACL for the application tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.
Explanations:
Modifying the inbound security group for the web tier to add a deny rule for specific IP addresses is not effective because security groups are stateful and do not support deny rules; they only allow or block based on specified rules.
Modifying the network ACL for the web tier subnets to add an inbound deny rule for the specific IP addresses is effective because network ACLs are stateless and can block incoming traffic from known illegitimate sources, reducing the load on the application and improving performance.
Modifying the inbound security group for the application tier to deny specific IP addresses is not effective because security groups do not support deny rules; they can only allow traffic. Blocking at this layer will not stop the illegitimate requests targeting the web tier.
Modifying the network ACL for the application tier subnets to add an inbound deny rule for the specific IP addresses is not the best option because the illegitimate traffic is directed towards the web tier, not the application tier. Blocking traffic at the application tier does not address the immediate issue of the web server being overwhelmed.
I strategize that the answer is:
Modify the network ACL for the web tier subnets. Add an inbound deny rule for the IP addresses that are consuming resources.