Q94 — AWS ANS-C01 Ch.1
Question 94 of 100 | ← Chapter 1
A company has deployed a critical application on a §eet of Amazon EC2 instances behind an Application Load Balancer. The application must Always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group. A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a Change is made to the security group. The solution also must notify the network engineer when the change affects the connection. Which solution will meet these requirements?
- A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT tra¨c on port 443. Publish the §ow log Records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric ¦lter for the log group for rejected tra¨c. Create an Alarm to notify the network engineer.
- B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all tra¨c on port 443. Publish the §ow log records To a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric ¦lter for the log group for all tra¨c. Create an alarm to notify The network engineer
- C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the Destination. Create an Amazon Simple Noti¦cation Service (Amazon SNS) topic to notify the network engineer when a change to the security Group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in Case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the Security group occurs.
- D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as The destination. Create an Amazon Simple Noti¦cation Service (Amazon SNS) topic to notify the network engineer when a change to the Security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS Topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a Change to the security group occurs. ✓
Correct Answer: D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as The destination. Create an Amazon Simple Noti¦cation Service (Amazon SNS) topic to notify the network engineer when a change to the Security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS Topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a Change to the security group occurs.
Explanation
在这种情况下,需要一种能够在安全组发生变化时自动验证网络连接性并通知网络工程师的解决方案。选项A和B仅通过启用VPC流日志和设置相关过滤器及警报来处理,无法全面满足验证网络连接性的需求。选项C中指定安全组作为源不太准确,因为需要检测的是从公共互联网到EC2实例的连接性,而公共互联网通常通过VPC的互联网网关接入。选项D中创建在端口443上的VPC可达性分析路径,指定VPC的互联网网关作为源,EC2实例作为目的地,能够准确模拟从公共互联网到实例的连接情况。并且通过创建SNS主题、Lambda函数和EventBridge规则,在安全组变化时触发并通知网络工程师,满足了题目中的所有要求。因此,选项D是正确答案。 查看全部