Learn how to enable secure communication between your AWS application and on-premises systems using a Network Load Balancer with an Elastic IP address and automatic failure mitigation.
Table of Contents
Question
A company has migrated a legacy application to the AWS Cloud. The application runs on three Amazon EC2 instances that are spread across three Availability Zones. One EC2 instance is in each Availability Zone. The EC2 instances are running in three private subnets of the VPC and are set up as targets for an Application Load Balancer (ALB) that is associated with three public subnets.
The application needs to communicate with on-premises systems. Only traffic from IP addresses in the company’s IP address range are allowed to access the on-premises systems. The company’s security team is bringing only one IP address from its internal IP address range to the cloud. The company has added this IP address to the allow list for the company firewall. The company also has created an Elastic IP address for this IP address.
A solutions architect needs to create a solution that gives the application the ability to communicate with the on-premises systems. The solution also must be able to mitigate failures automatically.
Which solution will meet these requirements?
A. Deploy three NAT gateways, one in each public subnet. Assign the Elastic IP address to the NAT gateways. Turn on health checks for the NAT gateways. If a NAT gateway fails a health check, recreate the NAT gateway and assign the Elastic IP address to the new NAT gateway.
B. Replace the ALB with a Network Load Balancer (NLB). Assign the Elastic IP address to the NLTurn on health checks for the NLIn the case of a failed health check, redeploy the NLB in different subnets.
C. Deploy a single NAT gateway in a public subnet. Assign the Elastic IP address to the NAT gateway. Use Amazon CloudWatch with a custom metric to monitor the NAT gateway. If the NAT gateway is unhealthy, invoke an AWS Lambda function to create a new NAT gateway in a different subnet. Assign the Elastic IP address to the new NAT gateway.
D. Assign the Elastic IP address to the ALB. Create an Amazon Route 53 simple record with the Elastic IP address as the value. Create a Route 53 health check. In the case of a failed health check, recreate the ALB in different subnets.
Answer
B. Replace the ALB with a Network Load Balancer (NLB). Assign the Elastic IP address to the NLTurn on health checks for the NLIn the case of a failed health check, redeploy the NLB in different subnets.
Explanation
This solution meets the requirements by providing the application with the ability to communicate with on-premises systems using the whitelisted Elastic IP address, while also offering automatic failure mitigation.
By replacing the Application Load Balancer (ALB) with a Network Load Balancer (NLB), the solution can assign the Elastic IP address directly to the NLB. This allows the application instances in the private subnets to communicate with on-premises systems through the NLB, using the whitelisted IP address.
Enabling health checks for the NLB ensures that the NLB’s availability is constantly monitored. In the event of a failed health check, indicating an issue with the NLB, the solution automatically redeploys the NLB in different subnets, effectively mitigating the failure and ensuring continued communication with on-premises systems.
This approach leverages the high availability and automatic failover capabilities of the NLB, while also adhering to the company’s security requirements by using the whitelisted Elastic IP address for communication with on-premises systems.
Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified Solutions Architect – Professional SAP-C02 exam and earn Amazon AWS Certified Solutions Architect – Professional SAP-C02 certification.