Q44 — AWS SAA-C03 Ch.3

Question 44 of 65 | ← Chapter 3

Q174. A company has a three-tier web application that is deployed on AWS. The web servers are deployed in a public subnet in a VPC. The application servers and database servers are deployed in private subnets in the same VPC. The company has deployed a third-party virtual firewall appliance from AWS Marketplace in an inspection VPC. The appliance is configured with an IP interface that can accept IP packets. A solutions architect needs to integrate the web application with the appliance to inspect all traffic to the application before the traffic reaches the web server.Which solution will meet these requirements with the LEAST operational overhead?

Correct Answer: D. Deploy a Gateway Load Balancer in the inspection VPC. Create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance.

Explanation

To integrate a third-party virtual firewall appliance from AWS Marketplace to inspect all traffic to a three-tier web application before the traffic reaches the web server, a solutions architect should deploy a Gateway Load Balancer in the inspection VPC and create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance. Therefore, option D is the correct answer.Option A suggests creating a Network Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection. However, Network Load Balancers are designed for TCP/UDP traffic to multiple targets and do not support deep packet inspection as required by this scenario.Option B suggests creating an Application Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection. While this approach could work, it requires more configuration and operational overhead compared to using a Gateway Load Balancer.Option C suggests deploying a transit gateway in the inspection VPC to configure route tables to route the incoming packets through the transit gateway. This approach adds more complexity than necessary and may not provide the same level of performance as using a Gateway Load Balancer.Using a Gateway Load Balancer provides a scalable and cost-effective solution for integrating a third-party virtual firewall appliance to inspect all traffic to a three-tier web application. The Gateway Load Balancer can be configured with an endpoint that receives incoming traffic and forwards the traffic to the IP interface of the firewall appliance for deep packet inspection. Once the traffic is inspected, it can be forwarded to the web servers in the private subnets via private network routes. This approach meets the requirements while minimizing operational overhead.