Discover the key steps for improving network security in an AWS environment using Network Firewall. Learn how to effectively configure firewall rules and route tables for optimal security.
Table of Contents
Question
A network engineer needs to improve the network security of an existing AWS environment by adding an AWS Network Firewall firewall to control internet-bound traffic. The AWS environment consists of five VPCs. Each VPC has an internet gateway, NAT gateways, public Application Load Balancers (ALBs), and Amazon EC2 instances. The EC2 instances are deployed in private subnets. The architecture is deployed across two Availability Zones.
The network engineer must be able to configure rules for the public IP addresses in the environment, regardless of the direction of traffic. The network engineer must add the firewall by implementing a solution that minimizes changes to the existing production environment. The solution also must ensure high availability.
Which combination of steps should the network engineer take to meet these requirements? (Choose two.)
A. Create a centralized inspection VPC with subnets in two Availability Zones. Deploy Network Firewall in this inspection VPC with an endpoint in each Availability Zone.
B. Configure new subnets in two Availability Zones in each VPC. Deploy Network Firewall in each VPC with an endpoint in each Availability Zone.
C. Deploy Network Firewall in each VPUse existing subnets in each of the two Availability Zones to deploy Network Firewall endpoints.
D. Update the route tables that are associated with the private subnets that host the EC2 instances. Add routes to the Network Firewall endpoints.
E. Update the route tables that are associated with the public subnets that host the NAT gateways and the ALBs. Add routes to the Network Firewall endpoints.
Answer
A. Create a centralized inspection VPC with subnets in two Availability Zones. Deploy Network Firewall in this inspection VPC with an endpoint in each Availability Zone.
E. Update the route tables that are associated with the public subnets that host the NAT gateways and the ALBs. Add routes to the Network Firewall endpoints.
Explanation
By creating a centralized inspection VPC (Step A), the network engineer can deploy AWS Network Firewall in a dedicated VPC, separate from the existing production VPCs. This approach minimizes changes to the existing environment and reduces the risk of disrupting production workloads. The Network Firewall endpoints in two Availability Zones ensure high availability for the firewall service.
Step E involves updating the route tables associated with the public subnets that host the NAT gateways and Application Load Balancers (ALBs). This step is crucial because it routes all internet-bound traffic from the private EC2 instances (via the NAT gateways) and public ALBs through the Network Firewall endpoints. By adding routes to the Network Firewall endpoints, the network engineer can configure rules to control and inspect both inbound and outbound internet traffic, regardless of the direction.
This solution meets the requirement of being able to configure rules for public IP addresses in the environment, regardless of the traffic direction, while minimizing changes to the existing production environment and ensuring high availability.
AWS Certified Advanced Networking – Specialty ANS-C01 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified Advanced Networking – Specialty ANS-C01 exam and earn AWS Certified Advanced Networking – Specialty ANS-C01 certification.