Q: 2
A company has an application that serves clients that are deployed in more than 20.000 retail
storefront locations around the world. The application consists of backend web services that are
exposed over HTTPS on port 443 The application is hosted on Amazon EC2 Instances behind an
Application Load Balancer (ALB). The retail locations communicate with the web application over the
public internet. The company allows each retail location to register the IP address that the retail
location has been allocated by its local ISP.
The company's security team recommends to increase the security of the application endpoint by
restricting access to only the IP addresses registered by the retail locations.
What should a solutions architect do to meet these requirements?
Options
Discussion
Makes sense to use A here, since AWS WAF with an IP set is built for this kind of mass IP filtering. Managing thousands of addresses with network ACLs would be a nightmare. Pretty sure about A but let me know if you think otherwise.
I don’t think D is right here, that’s a trap. A handles thousands of IPs easily with WAF IP sets, while network ACLs (D) would hit limits and be a nightmare to manage at this scale.
WAF with IP sets is the only thing that scales to thousands of addresses. A
Yeah this feels like A. WAF IP set scales way better with 20k addresses.
A fits here imo. AWS WAF lets you create IP set match rules and easily handle thousands of IP addresses, so it's actually built for this use case. NACLs (D) have hard limits and would be crazy to manage with 20k+ entries. Pretty sure it's A unless there's something I'm missing-feel free to disagree.
WAF using IP sets is built for handling thousands of IPs and integrates directly with ALB, so A fits best here. NACLs (like in D) get too messy with 20k+ entries. Pretty sure it’s A but open to other takes.
Maybe D here. Network ACLs can restrict inbound by IP, so you could technically add all those IP addresses, though it's a bit messy to maintain for 20k+ entries. It might look tempting on the exam as a direct way to block/allow, but I think that's the trap in this question.
Its A, but I guess B might work too if WAF isn't enabled by default on the ALB.
B. not D. Saw something like this in exam reports and WAF IP sets (A) always comes up for big IP lists.
A , similar question came up in practice exams and official guide covers WAF with IP sets for this scale.
Be respectful. No spam.
