AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 372

Your company runs an HTTPS application using an Elastic Load Balancing (ELB) load balancer/PHP on nginx server/RDS in multiple Availability Zones. You need to apply Geographic Restriction and identify the client's IP address in your application to generate dynamic content.
How should you utilize AWS services in a scalable fashion to perform this task?

Answer options

• A. Modify the nginx log configuration to record value in X-Forwarded-For and use CloudFront to apply the Geographic Restriction.
• B. Enable ELB access logs to store the client IP address and parse these to dynamically modify a blacklist.
• C. Use X-Forwarded-For with security groups to apply the Geographic Restriction.
• D. Modify the application code to use value of X-Forwarded-For and CloudFront to apply the Geographic Restriction.

Correct answer: D

Explanation

CloudFront provides a highly scalable, edge-based Geographic Restriction feature to block or allow users based on location before traffic reaches your origin. To identify the client's actual IP address within the PHP application for dynamic content generation, the application code must read the X-Forwarded-For header, which ELB passes along. Security groups cannot inspect HTTP headers like X-Forwarded-For, and parsing ELB logs to update blacklists is not a scalable or real-time solution for geographic restrictions.