Q2 — AWS ANS-C01 Ch.1
Question 2 of 100 | ← Chapter 1
A company has an application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic to and from the EC2 instances must be sent to a centralized third-party EC2 appliance for content inspection. Which solution will meet these requirements?
- A. Configure VPC ow logs on each EC2 network interface. Publish the flow logs to an Amazon S3 bucket. Create a third-party EC2 appliance to acquire ow logs from the S3 bucket. Log in to the appliance to monitor network content.
- B. Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session. Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application. ✓
- C. Configure a mirror session. Specify an Amazon Kinesis Data Firehose delivery stream as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application. Create a third-party EC2 appliance. Send all traffic to the appliance through the Kinesis Data Firehose delivery stream for content inspection.
- D. Configure VPC ow logs on each EC2 network interface. Send the logs to Amazon CloudWatch. Create a third-party EC2 appliance. Configure a CloudWatch lter to send the ow logs to Amazon Kinesis Data Firehose to load the logs into the appliance.
Correct Answer: B. Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session. Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application.
Explanation
答案B是正确的。在这种情况下,创建一个位于AutoScaling组且由NetworkLoadBalancer(NLB)前置的第三方EC2设备,并配置镜像会话,指定NLB作为镜像目标,通过指定镜像过滤器捕获入站和出站流量,同时指定承载应用程序的所有实例的EC2弹性网络接口作为镜像会话的源,可以满足公司规定的所有网络流量都发送到集中式第三方EC2设备进行内容检查的要求。其他选项A是关于配置VPC流日志,C是通过KinesisDataFirehose交付流,D是通过CloudWatch过滤器和KinesisDataFirehose,都不如B选项直接有效地实现流量的镜像和检查。 查看全部