Learn how to configure AWS packet mirroring to efficiently meet regulatory requirements for a third-party to inspect all EC2 application traffic in real-time.
Table of Contents
Question
A company has an application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic to and from the EC2 instances must be sent to a centralized third-party EC2 appliance for content inspection.
Which solution will meet these requirements?
A. Configure VPC flow logs on each EC2 network interface. Publish the flow logs to an Amazon S3 bucket. Create a third-party EC2 appliance to acquire flow logs from the S3 bucket. Log in to the appliance to monitor network content.
B. Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session. Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application.
C. Configure a mirror session. Specify an Amazon Kinesis Data Firehose delivery stream as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application. Create a third-party EC2 appliance. Send all traffic to the appliance through the Kinesis Data Firehose delivery stream for content inspection.
D. Configure VPC flow logs on each EC2 network interface. Send the logs to Amazon CloudWatch. Create a third-party EC2 appliance. Configure a CloudWatch filter to send the flow logs to Amazon Kinesis Data Firehose to load the logs into the appliance.
Answer
B. Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session. Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application.
Explanation
The solution that best meets the requirements is B:
- Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB)
- Configure a mirror session with the NLB as the target
- Specify a mirror filter to capture inbound and outbound traffic from the app instance interfaces
This directly meets the requirements to:
- Send all traffic to a centralized third-party EC2 appliance
- Leverage packet mirroring for real-time traffic inspection
The other options do not meet all requirements:
A/D – Use VPC flow logs which only provide aggregate data, not real-time traffic
C – Introduces unnecessary complexity of Kinesis delivery stream versus direct mirroring
By configuring packet mirroring to a third-party NLB backed appliance, all network traffic can be inspected centrally in real-time as required by the new regulation.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.