AWS Certified Solutions Architect – Professional — Question 305

A company hosts a game player-matching service on a public facing, physical, on-premises instance that all users are able to access over the internet. All traffic to the instance uses UDP. The company wants to migrate the service to AWS and provide a high level of security. A solutions architect needs to design a solution for the player-matching service using AWS.
Which combination of steps should the solutions architect take to meet these requirements? (Choose three.)

Answer options

• A. Use a Network Load Balancer (NLB) in front of the player-matching instance. Use a friendly DNS entry in Amazon Route 53 pointing to the NLB's Elastic IP address.
• B. Use an Application Load Balancer (ALB) in front of the player-matching instance. Use a friendly DNS entry in Amazon Route 53 pointing to the ALB's internet- facing fully qualified domain name (FQDN).
• C. Define an AWS WAF rule to explicitly drop non-UDP traffic, and associate the rule with the load balancer.
• D. Configure a network ACL rule to block all non-UDP traffic. Associate the network ACL with the subnets that hold the load balancer instances.
• E. Use Amazon CloudFront with an Elastic Load Balancer as an origin.
• F. Enable AWS Shield Advanced on all public-facing resources.

Correct answer: B, D, F

Explanation

Deploying an Application Load Balancer (ALB) coupled with Route 53 DNS routing provides a structured entry point for managing traffic to the matchmaking instance. To enforce strict protocol security, a network ACL associated with the load balancer subnets can be configured to drop all incoming traffic that is not UDP. Additionally, enabling AWS Shield Advanced on all public-facing endpoints ensures the infrastructure is protected against sophisticated DDoS attacks, meeting the high security requirements.