AWS Certified SysOps Administrator – Associate — Question 475

A company deploys a new application on three Amazon EC2 instances across three Availability Zones. The company uses a Network Load Balancer (NLB) to route traffic to the EC2 instances. A SysOps administrator must implement a solution so that the EC2 instances allow traffic from only the NLB.

What should the SysOps administrator do to meet these requirements with the LEAST operational overhead?

Answer options

• A. Configure the security group that is associated with the EC2 instances to allow traffic from only the security group that is associated with the NLB
• B. Configure the security group that is associated with the EC2 instances to allow traffic from only the elastic network interfaces that are associated with the NLB
• C. Create a network ACL Associate the network ACL with the application subnets. Configure the network ACL to allow inbound traffic from only the CIDR ranges of the NLB
• D. Use a third-party firewall solution that is installed on a separate EC2 instance. Configure a firewall rule that allows traffic to the application's EC2 instances from only the subnets where the NLB is deployed.

Correct answer: A

Explanation

AWS Network Load Balancers (NLBs) support security groups, which allows administrators to control the traffic allowed to and from the NLB. By configuring the security group of the EC2 instances to reference the NLB's security group as the source, traffic is securely restricted to only the load balancer with minimal configuration. Other methods, such as managing network ACLs, tracking specific ENIs, or deploying third-party firewalls, add unnecessary operational complexity and maintenance overhead.