Q44 — AWS SAA-C03 第3章

第 44/65 题 | ← 返回第3章

Q174.一家公司有一个部署在 AWS 上的三层 Web 应用程序. Web 服务器部署在 VPC 的公共子网中.应用服务器和数据库服务器部署在同一个VPC的私有子网中.该公司在检查 VPC 中部署了来自 AWS Marketplace 的第三方虚拟防火墙设备.该设备配置有一个可以接受 IP 数据包的 IP 接口.解决方案架构师需要将 Web 应用程序与设备集成,以便在流量到达 Web 服务器之前检查到应用程序的所有流量.哪种解决方案能够以最少的运营开销满足这些要求?

正确答案: D. 在检查 VPC 中部署网关负载均衡器.创建网关负载平衡器端点以接收传入数据包并将数据包转发到设备.

解析

To integrate a third-party virtual firewall appliance from AWS Marketplace to inspect all traffic to a three-tier web application before the traffic reaches the web server, a solutions architect should deploy a Gateway Load Balancer in the inspection VPC and create a Gateway Load Balancer endpoint to receive the incoming packets and forward the packets to the appliance. Therefore, option D is the correct answer.Option A suggests creating a Network Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection. However, Network Load Balancers are designed for TCP/UDP traffic to multiple targets and do not support deep packet inspection as required by this scenario.Option B suggests creating an Application Load Balancer in the public subnet of the application's VPC to route the traffic to the appliance for packet inspection. While this approach could work, it requires more configuration and operational overhead compared to using a Gateway Load Balancer.Option C suggests deploying a transit gateway in the inspection VPC to configure route tables to route the incoming packets through the transit gateway. This approach adds more complexity than necessary and may not provide the same level of performance as using a Gateway Load Balancer.Using a Gateway Load Balancer provides a scalable and cost-effective solution for integrating a third-party virtual firewall appliance to inspect all traffic to a three-tier web application. The Gateway Load Balancer can be configured with an endpoint that receives incoming traffic and forwards the traffic to the IP interface of the firewall appliance for deep packet inspection. Once the traffic is inspected, it can be forwarded to the web servers in the private subnets via private network routes. This approach meets the requirements while minimizing operational overhead. 为了集成来自AWS Marketplace的第三方虚拟防火墙设备,在流量到达web服务器之前,对进入三层web应用程序的所有流量进行检查,解决方案架构师需要在检查VPC中部署网关负载均衡器,并创建网关负载均衡器端点来接收传入的数据包,并将数据包转发到该设备。因此,选项D是正确答案。 方案A建议在应用VPC的公网子网中创建网络负载均衡器,将流量路由到设备进行报文检测。但是,网络负载均衡器是针对TCP/UDP流量到多个目标而设计的,不支持此场景所需的深度包检测。 方案B建议在应用VPC的公网子网中创建应用负载均衡器,将流量路由到设备进行报文检测。虽然这种方法可以工作,但与使用网关负载平衡器相比,它需要更多的配置和操作开销。 选项C建议在巡检VPC中部署一个中转网关,配置路由表,使入站报文从中转网关路由。这种方法增加了不必要的复杂性,并且可能无法提供与使用网关负载平衡器相同的性能水平。 使用网关负载均衡器为集成第三方虚拟防火墙设备来检查三层web应用程序的所有流量提供了可扩展且经济高效的解决方案。网关负载均衡器可以配置一个端点,该端点接收传入的流量,并将流量转发到防火墙设备的IP接口,以便进行深度数据包检查。流量检测完成后,可以通过私网路由转发到私网子网内的web服务器。这种方法在满足需求的同时最小化了操作开销。