Which solution will meet these requirements?

A company runs a web application that is deployed on Amazon EC2 instances in the private subnet of a VPC.An Application Load Balancer (ALB) that extends across the public subnets directs web traffic to the EC2 instances.The company wants to implement new security measures to restrict inbound traffic from the ALB to the EC2 instances while preventing access from any other source inside or outside the private subnet of the EC2 instances.

Which solution will meet these requirements?

Configure a route in a route table to direct traffic from the internet to the private IP addresses of the EC2 instances.

Configure the security group for the EC2 instances to only allow traffic that comes from the security group for the ALB.

Move the EC2 instances into the public subnet. Give the EC2 instances a set of Elastic IP addresses.

Configure the security group for the ALB to allow any TCP traffic on any port.

Explanations:

Configuring a route to direct internet traffic to private IP addresses of EC2 instances would expose the instances directly to the internet, which contradicts the requirement of restricting inbound traffic.

Configuring the security group for the EC2 instances to only allow traffic from the security group associated with the ALB effectively restricts access to the instances, ensuring that only the ALB can send traffic to them, thereby enhancing security.

Moving the EC2 instances to a public subnet and assigning Elastic IP addresses would expose the instances to the internet, which violates the requirement of preventing access from sources outside the private subnet.

Allowing any TCP traffic on any port for the ALB’s security group would not restrict the inbound traffic to only that from the ALB, which could allow unwanted access from other sources.

Learn & move to cloud

Which solution will meet these requirements?

Explanations:

Leave a Reply Cancel reply