Q: 2
A company has an application that serves clients that are deployed in more than 20.000 retail
storefront locations around the world. The application consists of backend web services that are
exposed over HTTPS on port 443 The application is hosted on Amazon EC2 Instances behind an
Application Load Balancer (ALB). The retail locations communicate with the web application over the
public internet. The company allows each retail location to register the IP address that the retail
location has been allocated by its local ISP.
The company's security team recommends to increase the security of the application endpoint by
restricting access to only the IP addresses registered by the retail locations.
What should a solutions architect do to meet these requirements?
Options
Discussion
Makes sense to use A here, since AWS WAF with an IP set is built for this kind of mass IP filtering. Managing thousands of addresses with network ACLs would be a nightmare. Pretty sure about A but let me know if you think otherwise.
WAF with IP sets is the only thing that scales to thousands of addresses. A
WAF using IP sets is built for handling thousands of IPs and integrates directly with ALB, so A fits best here. NACLs (like in D) get too messy with 20k+ entries. Pretty sure it’s A but open to other takes.
Maybe D here. Network ACLs can restrict inbound by IP, so you could technically add all those IP addresses, though it's a bit messy to maintain for 20k+ entries. It might look tempting on the exam as a direct way to block/allow, but I think that's the trap in this question.
Its A, but I guess B might work too if WAF isn't enabled by default on the ALB.
B. not D. Saw something like this in exam reports and WAF IP sets (A) always comes up for big IP lists.
A , similar question came up in practice exams and official guide covers WAF with IP sets for this scale.
D tbh, network ACL rules seem like they'd work for IP filtering in this setup.
Option D
Be respectful. No spam.
