Learn the best solution to improve security and prevent unauthorized access attempts for an AWS application using a Network Load Balancer (NLB). Compare AWS WAF, security groups, dual NLBs, and AWS Shield Advanced.
Table of Contents
Question
A company hosts a video streaming web application in a VPC. The company uses a Network Load Balancer (NLB) to handle TCP traffic for real-time data processing. There have been unauthorized attempts to access the application.
The company wants to improve application security with minimal architectural change to prevent unauthorized attempts to access the application.
Which solution will meet these requirements?
A. Implement a series of AWS WAF rules directly on the NLB to filter out unauthorized traffic.
B. Recreate the NLB with a security group to allow only trusted IP addresses.
C. Deploy a second NLB in parallel with the existing NLB configured with a strict IP address allow list.
D. Use AWS Shield Advanced to provide enhanced DDoS protection and prevent unauthorized access attempts.
Answer
The best solution to improve application security with minimal architectural change is:
C. Deploy a second NLB in parallel with the existing NLB configured with a strict IP address allow list.
Explanation
- Deploying a second NLB in front of the existing one allows you to implement an IP allow list on the new NLB. This will filter traffic and only allow trusted IP addresses to reach the application.
- This approach requires minimal changes to the existing architecture. The original NLB can remain as-is to handle the expected traffic, while the new NLB provides an additional layer of security.
- AWS WAF (option A) cannot be directly applied to NLBs. It can only be used with Application Load Balancers (ALB), API Gateway, CloudFront, and AppSync.
- NLB security groups (option B) are not supported. Security groups are supported for ALBs but not NLBs.
- AWS Shield Advanced (option D) provides enhanced DDoS protection but does not provide the ability to filter traffic based on IP allow lists to prevent unauthorized access attempts.
So in summary, configuring a second NLB with a strict IP allow list requires minimal architectural changes while providing robust security to prevent unauthorized access attempts to the application.
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.