Which combination of steps should the solutions architect take to meet these requirements?
(Choose three.)
Use a Network Load Balancer (NLB) in front of the player-matching instance. Use a friendly DNS entry in Amazon Route 53 pointing to the NLB’s Elastic IP address.
Use an Application Load Balancer (ALB) in front of the player-matching instance. Use a friendly DNS entry in Amazon Route 53 pointing to the ALB’s internet- facing fully qualified domain name (FQDN).
Define an AWS WAF rule to explicitly drop non-UDP traffic, and associate the rule with the load balancer.
Configure a network ACL rule to block all non-UDP traffic. Associate the network ACL with the subnets that hold the load balancer instances.
Use Amazon CloudFront with an Elastic Load Balancer as an origin.
Enable AWS Shield Advanced on all public-facing resources.
Explanations:
A Network Load Balancer (NLB) supports UDP traffic, making it ideal for the player-matching service. It can direct UDP traffic to the instances, and using a friendly DNS entry in Route 53 with an Elastic IP address allows for easy access and scalability.
An Application Load Balancer (ALB) is not suitable for UDP traffic as it only supports HTTP/HTTPS. This makes it unsuitable for the player-matching service that relies on UDP.
AWS WAF is designed to filter HTTP/S traffic, not UDP traffic. Since the service uses UDP, a WAF rule to drop non-UDP traffic is not applicable.
A network ACL rule can be used to block all non-UDP traffic at the subnet level, providing an additional layer of security to ensure only UDP traffic reaches the instances.
CloudFront is designed for HTTP/HTTPS traffic and cannot handle UDP traffic directly. Therefore, it would not work for a service relying on UDP.
AWS Shield Advanced offers enhanced protection against DDoS attacks for public-facing resources. Enabling this ensures the security of the NLB and other AWS resources from potential threats.