Which steps should the solutions architect recommend to meet these requirements?

By:
In: SAP-C01
Tagged:
With: 1 Comment
A company is deploying a third-party firewall appliance solution from AWS Marketplace to monitor and protect traffic that leaves the company’s AWS environments. The company wants to deploy this appliance into a shared services VPC and route all outbound internet-bound traffic through the appliances.A solutions architect needs to recommend a deployment method that prioritizes reliability and minimizes failover time between firewall appliances within a singleAWS Region. The company has set up routing from the shared services VPC to other VPCs.

Which steps should the solutions architect recommend to meet these requirements?

(Choose three.)

Deploy two firewall appliances into the shared services VPC, each in a separate Availability Zone.

Create a new Network Load Balancer in the shared services VPC. Create a new target group, and attach it to the new Network Load Balancer. Add each of the firewall appliance instances to the target group.

Create a new Gateway Load Balancer in the shared services VPC. Create a new target group, and attach it to the new Gateway Load Balancer. Add each of the firewall appliance instances to the target group.

Create a VPC interface endpoint. Add a route to the route table in the shared services VPC. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.

Deploy two firewall appliances into the shared services VPC, each in the same Availability Zone.

Create a VPC Gateway Load Balancer endpoint. Add a route to the route table in the shared services VPC. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.

Explanations:

Deploying the firewall appliances in separate Availability Zones (AZs) ensures high availability and minimizes failover time. This setup helps maintain traffic protection even if one AZ goes down.

A Network Load Balancer (NLB) is not ideal for firewall appliances that inspect traffic; it is more suitable for distributing traffic across instances without inspection. The correct load balancer for this case is the Gateway Load Balancer.

The Gateway Load Balancer is designed to work with appliances that inspect or modify traffic. It allows the firewall appliances to scale, ensuring reliability and fast failover by routing traffic efficiently.

A VPC interface endpoint is used for private communication with AWS services, not for routing traffic through firewall appliances. It is not suitable for routing internet-bound traffic through firewalls.

Deploying the firewall appliances in the same AZ introduces a single point of failure. If that AZ fails, traffic protection is compromised, which contradicts the requirement for high availability.

A VPC Gateway Load Balancer endpoint ensures that traffic is directed to the firewall appliances for inspection. It is the most appropriate method to route traffic through firewall appliances while supporting high availability and failover.

2025-10-06

1 Comment

  1. Kyle
    Author

    I conclude that the answer is:
    Deploy two firewall appliances into the shared services VPC, each in a separate Availability Zone.

Leave a Reply

Your email address will not be published. Required fields are marked *

2 × 3 =