Learn the optimal way to configure AWS accounts using AWS Organizations to enable a security appliance to inspect traffic between applications across multiple accounts. Discover how to leverage the right AWS services to meet security requirements.
Table of Contents
Question
An ecommerce company runs several internal applications in multiple AWS accounts. The company uses AWS Organizations to manage its AWS accounts.
A security appliance in the company’s networking account must inspect interactions between applications across AWS accounts.
Which solution will meet these requirements?
A. Deploy a Network Load Balancer (NLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the NLB by using an interface VPC endpoint in the application accounts.
B. Deploy an Application Load Balancer (ALB) in the application accounts to send traffic directly to the security appliance.
C. Deploy a Gateway Load Balancer (GWLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the GWLB by using an interface GWLB endpoint in the application accounts.
D. Deploy an interface VPC endpoint in the application accounts to send traffic directly to the security appliance.
Answer
The best solution to enable a security appliance in a networking account to inspect interactions between applications across multiple AWS accounts managed by AWS Organizations is:
C. Deploy a Gateway Load Balancer (GWLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the GWLB by using an interface GWLB endpoint in the application accounts.
Explanation
Here’s why this is the most suitable approach:
- Gateway Load Balancer (GWLB) is specifically designed to enable you to deploy, scale, and manage virtual appliances, such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. It allows you to insert these appliances into the network traffic flow for security inspection and monitoring.
- By deploying the GWLB in the networking account, you create a central point for routing traffic from multiple application accounts to the security appliance. This simplifies management and ensures consistent security policies across accounts.
- In each application account, you configure an interface GWLB endpoint. This endpoint establishes a private connection between the application account’s VPC and the GWLB in the networking account. It allows traffic from the applications to be securely routed to the GWLB and then to the security appliance for inspection.
- AWS Organizations provides a centralized way to manage and govern multiple AWS accounts. By using AWS Organizations in conjunction with GWLB and interface GWLB endpoints, you can efficiently control and secure traffic flows between applications across different accounts.
The other options are not as suitable:
- Option A suggests using a Network Load Balancer (NLB) with interface VPC endpoints, but NLB is not purpose-built for integrating virtual appliances like GWLB is.
- Option B proposes using Application Load Balancer (ALB) to send traffic directly to the security appliance, but ALB is designed for load balancing HTTP/HTTPS traffic, not for routing traffic to virtual appliances.
- Option D suggests using interface VPC endpoints to send traffic directly to the security appliance, but this approach lacks the centralized control and scalability provided by GWLB.
Therefore, deploying a Gateway Load Balancer in the networking account along with interface GWLB endpoints in the application accounts is the most effective solution to enable the security appliance to inspect cross-account application traffic in this scenario.
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.