AWS Certified Advanced Networking – Specialty (ANS-C01) — Question 242

A company uses AWS Network Firewall to protect outgoing traffic for multiple VPCs that are in the same AWS account. Each VPC contains Amazon EC2 instances that host the company's applications. Each EC2 instance is tagged with the name of the application it hosts. The EC2 instances are in Auto Scaling groups.

A Network Firewall stateful rule group must remain up-to-date, even when an Auto Scaling group launches and terminates EC2 instances.

Which solution will meet this requirement with the LEAST implementation and administrative effort?

Answer options

• A. Create a network ACL for each application. Reference the network ACL in the stateful rule group.
• B. Create a prefix list for each application. Reference the prefix list in the stateful rule group.
• C. Create an AWS Lambda function that queries the EC2 instance tags for each application name and then updates the stateful rule group with the IP address of each instance.
• D. Create a resource group for each application name. Reference the Amazon Resource Name (ARN) for the resource groups in the stateful rule group.

Correct answer: D

Explanation

Option D is correct because using resource groups allows for automatic updates to the stateful rule group based on the ARN, which aligns with the dynamic nature of Auto Scaling. Options A and B require additional management of ACLs and prefix lists, which increases administrative overhead. Option C, while functional, involves more complexity and effort than necessary compared to the simplicity of using resource groups.