AWS Certified Security – Specialty — Question 297

A company requires deep packet inspection on encrypted traffic to its web servers in its VPC.

Which solution will meet this requirement?

Answer options

• A. Decrypt traffic by using an Application Load Balancer (ALB) that is configured for TLS termination. Configure the ALB to send the traffic to an AWS Network Firewall endpoint for the deep packet inspection.
• B. Decrypt traffic by using a Network Load Balancer (NLB) that is configured for TLS termination. Configure the NLB to send the traffic to an AWS Network Firewall endpoint for the deep packet inspection.
• C. Decrypt traffic by using an Application Load Balancer (ALB) that is configured for TLS termination. Configure the ALB to send the traffic to an AWS WAF endpoint for the deep packet inspection.
• D. Decrypt traffic by using a Network Load Balancer (NLB) that is configured for TLS termination. Configure the NLB to send the traffic to an AWS WAF endpoint for the deep packet inspection.

Correct answer: B

Explanation

To perform deep packet inspection (DPI) on encrypted traffic, the traffic must first be decrypted, which can be accomplished by terminating TLS on a Network Load Balancer (NLB). The decrypted plaintext traffic can then be routed through an AWS Network Firewall endpoint, which is designed for deep packet inspection across network layers. AWS WAF is a web application firewall that inspects application-layer HTTP/HTTPS requests but does not perform the comprehensive network-level deep packet inspection provided by AWS Network Firewall.