Learn how to configure AWS load balancer rules for managing different application paths and access control. Explore steps to restrict access to specific paths and IP spaces while enabling seamless functionality across applications.
Table of Contents
Question
A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful management application for administration that will run on EC2 instances that are in a separate Auto Scaling group.
The company wants to access the management application by using the same URL as the web application, with a path prefix of/management. The protocol, hostname, and port number must be the same for the web application and the management application. Access to the management application must be restricted to the company’s on-premises IP address space. An SSL/TLS certificate from AWS Certificate Manager (ACM) will protect the web application.
Which combination of steps should a network engineer take to meet these requirements? (Choose two.)
A. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness.
B. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes.
C. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the management application target group if there is a match. Enable group-level stickiness in the rule attributes.
D. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the web application target group if there is not a match.
E. Forward all requests to the web application target group. Edit the web application target group and disable stickiness.
Answer
A. Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness.
D. Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the web application target group if there is not a match.
Explanation
To enable access to a management application using the same URL with a path prefix of “/management” and restricted to on-premises IP addresses:
- Option A: Insert a rule for the load balancer’s HTTPS listener to check for the “/management” path-pattern condition and the source IP condition for on-premises IP address space. Forward matched requests to the management application’s target group. Enable stickiness in the management application target group settings to maintain session persistence.
- Option D: Modify the default rule for the load balancer’s HTTPS listener to verify the “/management” path-pattern condition and the source IP condition for on-premises IP addresses. Route the matched requests to the web application target group. Ensure the default rule handles non-matching requests.
By configuring the load balancer rules to inspect the path pattern for “/management” and check the source IP against the on-premises space, the network engineer ensures requests with this specific path and originating from on-premises IPs are directed to the respective application’s target group, providing the required access and restriction.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.