AWS Certified Solutions Architect – Associate (SAA-C03) — Question 889

An ecommerce company runs several internal applications in multiple AWS accounts. The company uses AWS Organizations to manage its AWS accounts.

A security appliance in the company's networking account must inspect interactions between applications across AWS accounts.

Which solution will meet these requirements?

Answer options

• A. Deploy a Network Load Balancer (NLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the NLB by using an interface VPC endpoint in the application accounts.
• B. Deploy an Application Load Balancer (ALB) in the application accounts to send traffic directly to the security appliance.
• C. Deploy a Gateway Load Balancer (GWLB) in the networking account to send traffic to the security appliance. Configure the application accounts to send traffic to the GWLB by using an interface GWLB endpoint in the application accounts.
• D. Deploy an interface VPC endpoint in the application accounts to send traffic directly to the security appliance.

Correct answer: C

Explanation

Gateway Load Balancer (GWLB) is the ideal AWS service for transparently routing and inspecting traffic using third-party virtual security appliances. By deploying a GWLB in the security/networking VPC and configuring Gateway Load Balancer endpoints (GWLBe) in the application VPCs, traffic can be seamlessly directed to the security appliance for inspection. Other load balancers, such as NLBs or ALBs, do not support transparent packet routing or inline security appliance integration in this manner.