AWS Certified Solutions Architect – Professional — Question 811

A company is offering one of its applications as a multi-tenant software-as-a-service (SaaS) solution. The application has a RESTAPI that runs on a set of Amazon
EC2 instances behind an Application Load Balancer (ALB). The instances run in an Auto Scaling group.
Last week, one of the tenants ran a campaign that significantly increased traffic to the REST API. The resource constraints affected the performance of other tenants that were running on the same set of EC2 instances. The company wants the ability to throttle API calls for each tenant.
Which combination of steps should a solutions architect take to meet these requirements? (Choose three.)

Answer options

• A. Create an AWS WAF web ACL. Add a rate-based rule statement to the web ACL. Set the action to block.
• B. Create an Amazon API Gateway API. Assign an API key usage plan for each tenant.
• C. Create an Amazon API Gateway API. Assign the AWS WAF web ACL to the API Gateway API.
• D. Create an Amazon CloudFront distribution. Assign the AWS WAF web ACL to the CloudFront distribution.
• E. Create a VPC link for HTTP APIs. Set up the ALB as the target. Configure an HTTP proxy private integration that uses the VPC link.
• F. Modify the application's API requests to target the newly created endpoint.

Correct answer: B, E, F

Explanation

To enforce individual rate limits per tenant, Amazon API Gateway is used because it supports usage plans and API keys (Option B) which allow throttling on a per-client basis. To connect API Gateway securely to the private ALB behind the EC2 instances, a VPC link for HTTP APIs must be configured as a private integration (Option E). Finally, client applications must update their routing to target the new API Gateway endpoint rather than the ALB directly (Option F).