AWS Certified SysOps Administrator – Associate (legacy) — Question 734

A company has a web application that is deployed in a VPC. Inbound traffic to this web application comes in through an internet gateway and arrives at a Network
Load Balancer (NLB). From there, the traffic travels to multiple Amazon EC2 instances in two private subnets. The company wants to perform deep packet inspection on the inbound traffic to identify potential hacking attempts.
Which solution meets these requirements?

Answer options

• A. Configure AWS Shield for the VPC.
• B. Use AWS Network Firewall on the VPC. Configure Network Firewall to perform deep packet inspection.
• C. Use AWS Network Firewall on the subnets. Configure Network Firewall to perform deep packet inspection.
• D. Set up Traffic Mirroring on an inbound port of the NLB.

Correct answer: D

Explanation

Traffic Mirroring allows you to copy network traffic from a network interface, such as the elastic network interface (ENI) of a Network Load Balancer (NLB), and send it to security appliances for deep packet inspection. AWS Shield is a managed DDoS protection service and does not perform deep packet inspection for hacking attempts. AWS Network Firewall is an inline firewall service that requires specific routing table configurations to intercept traffic rather than being directly configured 'on the VPC' or 'on the subnets' as described.