Which solution will meet these requirements?

By:
In: SAA-C03
Tagged:
With: 2 Comments
A company hosts a video streaming web application in a VPC.The company uses a Network Load Balancer (NLB) to handle TCP traffic for real-time data processing.There have been unauthorized attempts to access the application.The company wants to improve application security with minimal architectural change to prevent unauthorized attempts to access the application.

Which solution will meet these requirements?

Implement a series of AWS WAF rules directly on the NLB to filter out unauthorized traffic.

Recreate the NLB with a security group to allow only trusted IP addresses.

Deploy a second NLB in parallel with the existing NLB configured with a strict IP address allow list.

Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts.

Explanations:

AWS WAF cannot be directly implemented on a Network Load Balancer, as it is designed for application-level traffic (HTTP/HTTPS), not TCP traffic handled by NLBs.

Recreating the NLB with a security group allows for IP address filtering, enabling the restriction of access to only trusted IP addresses, enhancing security with minimal changes to the architecture.

Deploying a second NLB with an IP allow list adds complexity and does not address the unauthorized access attempts as effectively as modifying the existing NLB’s security settings.

AWS Shield Advanced primarily provides DDoS protection, but it does not specifically prevent unauthorized access attempts. It focuses on mitigating attack vectors rather than access control.

2026-03-27

2 Comments

  1. Helen
    Author

    I draft that the answer is:
    Recreate the NLB with a security group to allow only trusted IP addresses.

  2. Caleb
    Author

    I opine that the answer is:
    Recreate the NLB with a security group to allow only trusted IP addresses.

Leave a Reply to Caleb Cancel reply

Your email address will not be published. Required fields are marked *

fifteen − two =