Amazon ANS-C01 Exam - Topic 1 Question 25 Discussion

Actual exam question for Amazon's ANS-C01 exam

Question #: 25
Topic #: 1

A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful management application for administration that will run on EC2 instances that are in a separate Auto Scaling group.

The company wants to access the management application by using the same URL as the web application, with a path prefix of /management. The protocol, hostname, and port number must be the same for the web application and the management application. Access to the management application must be restricted to the company's on-premises IP address space. An SSL/TLS certificate from AWS Certificate Manager (ACM) will protect the web application.

Which combination of steps should a network engineer take to meet these requirements? (Select TWO.)

AInsert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness.

BModify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes.

CInsert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the management application target group if there is a match. Enable group-level stickiness in the rule attributes.

DModify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the web application target group if there is not a match.

EForward all requests to the web application target group. Edit the web application target group and disable stickiness.

Show Suggested Answer

Suggested Answer: B

Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1.Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2.Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2.This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.

by Rosina at May 02, 2024, 12:59 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Van

5 months ago

Wait, can we really use the same URL for both apps? Sounds tricky!

upvoted 0 times

...

Tula

5 months ago

D just forwards to the web app, not what they want.

upvoted 0 times

...

Eun

5 months ago

C seems a bit off, using X-Forwarded-For could be risky.

upvoted 0 times

...

Orville

5 months ago

I think B makes more sense for handling unmatched requests.

upvoted 0 times

...

Teddy

6 months ago

A is definitely the right choice for path-based routing.

upvoted 0 times

...

Osvaldo

6 months ago

I remember that we should definitely use the path-pattern condition for /management, but I can't decide between options A and B. I feel like both could work, but I'm leaning towards A.

upvoted 0 times

...

Veronique

6 months ago

I'm a bit confused about the stickiness part. I thought stickiness was more relevant for user sessions, but I can't recall if it applies here for the management application.

upvoted 0 times

...

Wai

6 months ago

I think we practiced a similar question where we had to restrict access based on IP addresses. I feel like option A might be the right choice since it mentions checking the source IP.

upvoted 0 times

...

Evangelina

6 months ago

I remember we discussed how to configure path-based routing with the Application Load Balancer, but I'm not sure if we should modify the default rule or insert a new one for this scenario.

upvoted 0 times

...

Linwood

6 months ago

This seems like a good approach. I'm feeling pretty confident I can tackle this question now.

upvoted 0 times

...

Jospeh

6 months ago

Yeah, and we need to make sure we're checking the source IP address for the management app to only allow access from the on-premises IP range.

upvoted 0 times

...

Samira

6 months ago

I think the key here is setting up the load balancer rules to route the /management requests to the separate management application target group, while forwarding everything else to the web application target group.

upvoted 0 times

...

Myra

6 months ago

Okay, let's break this down step-by-step. We need to configure the load balancer to handle the management application separately from the web application, and restrict access to the management app to the company's on-premises IP address space.

upvoted 0 times

...

Josephine

7 months ago

This question seems straightforward, but I want to make sure I understand the requirements correctly before I start solving it.

upvoted 0 times

...

Cornell

7 months ago

Hmm, this looks like a tricky one. I'll need to think carefully about the right commands to extend the repair delay time.

upvoted 0 times

...

Shizue

7 months ago

If I remember correctly, targeting executive priorities is definitely important when communicating with them.

upvoted 0 times

...

Iluminada

7 months ago

Okay, I got this. I just need to compare the benefit-cost ratios and select the drug with the highest ratio. That will be the most efficient use of resources.

upvoted 0 times

...

Gayla

12 months ago

I can't believe they're even considering these options. It's like they're trying to make a secure system by throwing darts at a wall of AWS features.

upvoted 0 times

Jeffrey

11 months ago

Yeah, Option A definitely stands out as the most logical choice. It's important to have a clear plan when setting up a system like this.

upvoted 0 times

...

Lon

11 months ago

I agree, Option A is the way to go. It's important to have the right configuration for security.

upvoted 0 times

...

Novella

11 months ago

Option A seems like the best choice to me. It covers all the requirements and seems the most secure.

upvoted 0 times

...

Kattie

12 months ago

E? Really? Disabling stickiness for the web app? That's just asking for trouble. Not a chance.

upvoted 0 times

Kristofer

11 months ago

C) Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the management application target group if there is a match. Enable group-level stickiness in the rule attributes.

upvoted 0 times

...

Lyda

11 months ago

B) Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes.

upvoted 0 times

...

Tien

11 months ago

A) Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness.

upvoted 0 times

...

Jaime

12 months ago

D is an interesting idea, but forwarding the management app to the web app target group doesn't seem quite right. We want to keep them separate.

upvoted 0 times

...

Eun

1 year ago

I'm not sure, but I think option B could also be a valid choice.

upvoted 0 times

...

Alba

1 year ago

C looks interesting, but I'm not a fan of relying on the X-Forwarded-For header for IP verification. That could be easily spoofed.

upvoted 0 times

Elin

12 months ago

User 2: Definitely, we need a more secure way to restrict access to the management application.

upvoted 0 times

...

Deandrea

12 months ago

User 1: I agree, relying on the X-Forwarded-For header for IP verification is risky.

upvoted 0 times

...

Lashandra

1 year ago

I agree with Alishia. Those steps seem to meet all the requirements.

upvoted 0 times

...

Glennis

1 year ago

I'm not sure about B. Modifying the default rule to handle the management app doesn't seem as clean as having a dedicated rule for it.

upvoted 0 times

...

Alishia

1 year ago

I think the correct steps are A and C.

upvoted 0 times

...

Johnna

1 year ago

Hmm, I think option A is the way to go. Separating the management application into its own target group and using path-based routing to restrict access to the on-premises IP space seems like a solid approach.

upvoted 0 times

...