Learn how to configure AWS Application Load Balancers (ALB) to enforce encrypted HTTPS communication between clients and web applications while maintaining existing user endpoints through HTTP to HTTPS redirection.
Table of Contents
Question
A company has an existing public web application for www.example.com. The Application Load Balancer (ALB) is configured with a single HTTP 80 listener. A SysOps administrator must ensure that all web requests to www.example.com are encrypted between the client and the ALB.
The SysOps administrator already has requested and validated a public certificate for www.example.com in AWS Certificate Manager (ACM). Existing users of the application must not be required to change the endpoint to which they are connecting.
Which additional set of steps should the SysOps administrator take to meet these requirements?
A. Create an additional ALB listener for HTTPS on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate.
B. Create an additional ALB listener for HTTPS on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate. Delete the original HTTP listener on port 80.
C. Modify the ALB default rule for the HTTP port 80 listener. Create a rule in the listener to forward all traffic for the host www example.com to the target group. Specify the ACM certificate that was created for www.example.com as the default SSL certificate.
D. Modify the ALB default rule for the HTTP port 80 listener to redirect to HTTPS on port 443. Create an additional HTTPS listener on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www example.com as the default SSL certificate.
Answer
D. Modify the ALB default rule for the HTTP port 80 listener to redirect to HTTPS on port 443. Create an additional HTTPS listener on port 443. Set the default action to forward all traffic to the target group. Specify the ACM certificate that was created for www example.com as the default SSL certificate.
Explanation
This approach meets the requirements by redirecting all HTTP traffic to HTTPS while also ensuring that existing users do not need to change the endpoint they are connecting to. Here are the detailed steps:
- Modify the default rule for the existing HTTP listener on port 80 to redirect all traffic to the HTTPS listener on port 443. This can be done by creating a redirect action within the listener rules.
- Create a new HTTPS listener on port 443.
- Associate the ACM certificate for www.example.com with the new HTTPS listener.
- Set the default action of the HTTPS listener to forward traffic to the existing target group.
With this configuration, when a client attempts to access www.example.com over HTTP (port 80), the ALB will redirect the request to HTTPS (port 443) using the provided ACM certificate. The client will then establish a secure connection with the ALB, and the ALB will forward the traffic to the target group.
Existing users do not need to change the endpoint they are connecting to, as the redirection from HTTP to HTTPS happens transparently at the ALB level.
Other options are either incomplete or introduce unnecessary changes:
A. Creating an additional HTTPS listener without modifying the existing HTTP listener would not force traffic to be encrypted between the client and the ALB.
B. Deleting the original HTTP listener would require existing users to change the endpoint they are connecting to, which is not desired.
C. Creating a rule for www.example.com on the HTTP listener and specifying the SSL certificate would not force traffic to be encrypted, as the listener is still operating over an unencrypted HTTP connection.
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.