AWS Certified SysOps Administrator – Associate (legacy) — Question 479

You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from pre-defined customer IP addresses.
Which two options meet this security requirement? (Choose two.)

Answer options

• A. Configure web server VPC security groups to allow traffic from your customers' IPs
• B. Configure your web servers to filter traffic based on the ELB's "X-forwarded-for" header
• C. Configure ELB security groups to allow traffic from your customers' IPs and deny all outbound traffic
• D. Configure a VPC NACL to allow web traffic from your customers' IPs and deny all outbound traffic

Correct answer: A, B

Explanation

Filtering traffic at the web server layer can be achieved either by restricting the web server's security groups directly if client IPs are preserved (Option A), or by configuring the web servers to analyze the "X-forwarded-for" HTTP header sent by the ELB (Option B). Restricting all outbound traffic in either the ELB security groups (Option C) or the VPC NACL (Option D) is incorrect because it would block the return traffic to the clients, breaking the application's functionality.