Q14 — AWS ANS-C01 Ch.1
Question 14 of 100 | ← Chapter 1
A company is using an Amazon CloudFront distribution that is configured with an Application Load Balancer (ALB) as an origin. A network Engineer needs to implement a solution that requires all inbound traffic to the ALB to come from CloudFront. The network engineer must Implement the solution at the network layer rather than in the application. Which solution will meet these requirements in the MOST operationally efficient way?
- A. Add an inbound rule to the ALB's security group to allow the AWS managed prefix list for CloudFront. ✓
- B. Add an inbound rule to the network ACLs that are associated with the ALB's subnets. Use the AWS managed prefix list for CloudFront as the Source in the rule.
- C. Configure CloudFront to add a custom HTTP header to the requests that CloudFront sends to the ALB.
- D. Associate an AWS WAF web ACL with the ALB. Configure the AWS WAF rules to allow traffic from the CloudFront IP set. Automatically Update the CloudFront IP set by using an AWS Lambda function.
Correct Answer: A. Add an inbound rule to the ALB's security group to allow the AWS managed prefix list for CloudFront.
Explanation
该题核心考点在于如何在网络层强制ALB仅接收CloudFront流量。AWS官方推荐使用安全组配合托管前缀列表实现:安全组作为实例级防火墙,直接关联ALB实例;AWS管理的CloudFront前缀列表自动维护全球边缘节点IP地址,避免手动更新。选项B的网络ACL属于子网级控制且无状态,维护成本更高;选项C/D分别涉及应用层头验证和WAF规则,不符合网络层要求。正确答案通过单条安全组规则即达成精准高效的流量过滤。