The core requirements are end-to-end encryption terminated on the Amazon EC2 instances and session affinity. A Network Load Balancer (NLB) operating at the transport layer (Layer 4) is required to meet these needs. By configuring a TCP listener on port 443, the NLB passes the encrypted traffic directly to the target EC2 instances without decrypting it. This allows the TLS session to be terminated on the EC2 instances themselves, fulfilling the end-to-end encryption requirement using the application's certificate. The NLB's session affinity (sticky sessions) feature ensures that subsequent requests from the same client are routed to the same EC2 instance, satisfying the session persistence requirement.

B. An Application Load Balancer (ALB) with an HTTPS listener terminates the TLS connection at the load balancer, not the EC2 instance. Forwarding traffic via HTTP to the targets breaks the end-to-end encryption requirement.

C. A Network Load Balancer with a TLS listener terminates the TLS connection at the load balancer. This contradicts the requirement for the connection to be encrypted all the way to the application on the EC2 instance.

D. This configuration is invalid. An Application Load Balancer cannot have an HTTP listener on port 443. An HTTPS listener is required for encrypted traffic, which would terminate TLS at the load balancer, failing the end-to-end encryption requirement.

1. AWS Documentation, Elastic Load Balancing User Guide for Network Load Balancers: "Listeners for your Network Load Balancer". It states, "If you configure a TCP listener on port 443, the load balancer passes the request to the targets without decryption. The targets are responsible for decrypting the traffic." This directly supports the pass-through mechanism described in option A for end-to-end encryption.

2. AWS Documentation, Elastic Load Balancing User Guide for Network Load Balancers: "Sticky sessions for your Network Load Balancer". The documentation confirms, "By default, a Network Load Balancer routes each request independently to a registered target... If you enable sticky sessions, the requests from a client are sent to the same target." This supports the session affinity requirement.

3. AWS Documentation, Elastic Load Balancing User Guide for Application Load Balancers: "Listeners for your Application Load Balancers". It details that for an HTTPS listener, "Elastic Load Balancing uses a server certificate to terminate the front-end connection and then to decrypt requests from clients before sending them to the targets." This confirms that ALBs (Options B and D) terminate encryption, violating the requirement.

4. AWS Documentation, Elastic Load Balancing User Guide for Network Load Balancers: "TLS listeners for your Network Load Balancer". It specifies, "To use a TLS listener, you must deploy a server certificate on your load balancer. The load balancer uses this certificate to terminate the connection and decrypt requests from clients before sending them to targets." This confirms that an NLB with a TLS listener (Option C) also terminates encryption.