Q14 — AWS ANS-C01 Ch.1

Question 14 of 100 | ← Chapter 1

A company is using an Amazon CloudFront distribution that is configured with an Application Load Balancer (ALB) as an origin. A network Engineer needs to implement a solution that requires all inbound traffic to the ALB to come from CloudFront. The network engineer must Implement the solution at the network layer rather than in the application. Which solution will meet these requirements in the MOST operationally efficient way?

Correct Answer: A. Add an inbound rule to the ALB's security group to allow the AWS managed prefix list for CloudFront.

Explanation

该题核心考点在于如何在网络层强制ALB仅接收CloudFront流量。AWS官方推荐使用安全组配合托管前缀列表实现:安全组作为实例级防火墙,直接关联ALB实例;AWS管理的CloudFront前缀列表自动维护全球边缘节点IP地址,避免手动更新。选项B的网络ACL属于子网级控制且无状态,维护成本更高;选项C/D分别涉及应用层头验证和WAF规则,不符合网络层要求。正确答案通过单条安全组规则即达成精准高效的流量过滤。