Learn the required security group settings for an internet-facing Application Load Balancer (ALB) that receives HTTPS traffic and forwards it to EC2 instances running a web app. Covers inbound and outbound rules for web traffic and health checks. Key topic for the AWS Certified Solutions Architect Associate SAA-C03 exam.
Table of Contents
Question
A company is designing a web application with an internet-facing Application Load Balancer (ALB).
The company needs the ALB to receive HTTPS web traffic from the public internet. The ALB must send only HTTPS traffic to the web application servers hosted on the Amazon EC2 instances on port 443. The ALB must perform a health check of the web application servers over HTTPS on port 8443.
Which combination of configurations of the security group that is associated with the ALB will meet these requirements? (Choose three.)
A. Allow HTTPS inbound traffic from 0.0.0.0/0 for port 443.
B. Allow all outbound traffic to 0.0.0.0/0 for port 443.
C. Allow HTTPS outbound traffic to the web application instances for port 443.
D. Allow HTTPS inbound traffic from the web application instances for port 443.
E. Allow HTTPS outbound traffic to the web application instances for the health check on port 8443.
F. Allow HTTPS inbound traffic from the web application instances for the health check on port 8443.
Answer
A. Allow HTTPS inbound traffic from 0.0.0.0/0 for port 443.
C. Allow HTTPS outbound traffic to the web application instances for port 443.
E. Allow HTTPS outbound traffic to the web application instances for the health check on port 8443.
Explanation
To allow the internet-facing Application Load Balancer (ALB) to receive HTTPS traffic from the public internet, send HTTPS to the EC2 web servers on port 443, and perform HTTPS health checks on port 8443, the following security group settings are required:
A. Allow HTTPS inbound traffic from 0.0.0.0/0 for port 443. This allows the ALB to receive HTTPS traffic from any IP address on the internet.
C. Allow HTTPS outbound traffic to the web application instances for port 443. This allows the ALB to forward the HTTPS traffic it receives to the EC2 instances running the web application.
E. Allow HTTPS outbound traffic to the web application instances for the health check on port 8443. This allows the ALB to send HTTPS health check requests to the EC2 instances on port 8443 to verify that the web application is running properly.
The other options are incorrect because:
B – Allowing all outbound traffic is overly permissive and not required.
D – The ALB does not need to accept inbound HTTPS traffic from the web app instances.
F – The web app instances do not need to send inbound HTTPS traffic to the ALB for health checks; the ALB initiates those connections.
So in summary, configuring the ALB security group with inbound HTTPS on 443 from the internet, outbound HTTPS on 443 to the EC2 instances, and outbound HTTPS on 8443 to the instances for health checks will enable the required functionality while following the principle of least privilege.
Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Associate SAA-C03 exam and earn Amazon AWS Certified Solutions Architect – Associate SAA-C03 certification.