AWS Certified Solutions Architect – Associate (SAA-C03) — Question 6

A company has a three-tier web application that is deployed on AWS. The web servers are deployed in a public subnet in a VPC. The application servers and database servers are deployed in private subnets in the same VPC. The company has deployed a third-party virtual firewall appliance from AWS Marketplace in an inspection VPC. The appliance is configured with an IP interface that can accept IP packets.
A solutions architect needs to integrate the web application with the appliance to inspect all traffic to the application before the traffic reaches the web server.
Which solution will meet these requirements with the LEAST operational overhead?

Answer options

• A. Create a Network Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection.
• B. Create an Application Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection.
• C. Deploy a transit gateway in the inspection VPConfigure route tables to route the incoming packets through the transit gateway.
• D. Deploy a Gateway Load Balancer in the inspection VPC. Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance.

Correct answer: D

Explanation

The correct answer is D because a Gateway Load Balancer is specifically designed for integrating virtual appliances and can easily forward packets to the appliance for inspection with minimal configuration. Options A and B involve load balancers that don't provide the direct integration required, while option C, involving a transit gateway, introduces unnecessary complexity and operational overhead.