AWS Certified Solutions Architect – Associate (SAA-C02) — Question 283

A solutions architect needs to design a highly available application consisting of web, application, and database tiers. HTTPS content delivery should be as close to the edge as possible, with the least delivery time.
Which solution meets these requirements and is MOST secure?

Answer options

• A. Configure a public Application Load Balancer (ALB) with multiple redundant Amazon EC2 instances in public subnets. Configure Amazon CloudFront to deliver HTTPS content using the public ALB as the origin.
• B. Amazon EC2 instances in private subnets Configure. Configure a public Application Load Balancer with multiple redundant Amazon CloudFront to deliver HTTPS content using the EC2 instances as the origin.
• C. Configure a public Application Load Balancer (ALB) with multiple redundant Amazon EC2 instances in private subnets. Configure Amazon CloudFront to deliver HTTPS content using the public ALB as the origin.
• D. Configure a public Application Load Balancer with multiple redundant Amazon EC2 instances in public subnets. Configure Amazon CloudFront to deliver HTTPS content using the EC2 instances as the origin.

Correct answer: C

Explanation

Option C is the most secure because placing the Amazon EC2 instances in private subnets protects them from direct internet access, while the public Application Load Balancer (ALB) safely routes traffic to them. Using Amazon CloudFront ensures low-latency HTTPS content delivery close to users by utilizing edge locations, with the ALB acting as the secure origin. Options A and D are less secure because they place EC2 instances in public subnets, and options B and D bypass the ALB as the CloudFront origin, which reduces scalability and availability management.