Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Amazon ANS-C01 Exam - Topic 1 Question 25 Discussion

A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful management application for administration that will run on EC2 instances that are in a separate Auto Scaling group.The company wants to access the management application by using the same URL as the web application, with a path prefix of /management. The protocol, hostname, and port number must be the same for the web application and the management application. Access to the management application must be restricted to the company's on-premises IP address space. An SSL/TLS certificate from AWS Certificate Manager (ACM) will protect the web application.Which combination of steps should a network engineer take to meet these requirements? (Select TWO.)
B) Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes.
A) Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness.
C) Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the management application target group if there is a match. Enable group-level stickiness in the rule attributes.
D) Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the web application target group if there is not a match.
E) Forward all requests to the web application target group. Edit the web application target group and disable stickiness.

Amazon ANS-C01 Exam - Topic 1 Question 25 Discussion

Actual exam question for Amazon's ANS-C01 exam
Question #: 25
Topic #: 1
[All ANS-C01 Questions]

A company is deploying a new stateless web application on AWS. The web application will run on Amazon EC2 instances in private subnets behind an Application Load Balancer. The EC2 instances are in an Auto Scaling group. The web application has a stateful management application for administration that will run on EC2 instances that are in a separate Auto Scaling group.

The company wants to access the management application by using the same URL as the web application, with a path prefix of /management. The protocol, hostname, and port number must be the same for the web application and the management application. Access to the management application must be restricted to the company's on-premises IP address space. An SSL/TLS certificate from AWS Certificate Manager (ACM) will protect the web application.

Which combination of steps should a network engineer take to meet these requirements? (Select TWO.)

Show Suggested Answer Hide Answer
Suggested Answer: B

Creating a new Route 53 Resolver outbound endpoint in the shared services VPC would enable forwarding of DNS queries from the VPC to on-premises1.Creating forwarding rules for the on-premises hosted domains would enable specifying which domain names are forwarded to the on-premises DNS servers2.Associating the rules with the new Resolver endpoint and each application VPC would enable applying the rules to the VPCs2.This solution would not affect the default DNS resolution behavior of Route 53 Resolver for local VPC domain names and domains that are hosted in Route 53 private hosted zones3.


by Rosina at May 02, 2024, 12:59 AM

Limited Time Offer

25%

Off

Get Premium ANS-C01 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Van
6 months ago
Wait, can we really use the same URL for both apps? Sounds tricky!
upvoted 0 times
...
Tula
6 months ago
D just forwards to the web app, not what they want.
upvoted 0 times
...
Eun
7 months ago
C seems a bit off, using X-Forwarded-For could be risky.
upvoted 0 times
...
Orville
7 months ago
I think B makes more sense for handling unmatched requests.
upvoted 0 times
...
Teddy
7 months ago
A is definitely the right choice for path-based routing.
upvoted 0 times
...
Osvaldo
7 months ago
I remember that we should definitely use the path-pattern condition for /management, but I can't decide between options A and B. I feel like both could work, but I'm leaning towards A.
upvoted 0 times
...
Veronique
7 months ago
I'm a bit confused about the stickiness part. I thought stickiness was more relevant for user sessions, but I can't recall if it applies here for the management application.
upvoted 0 times
...
Wai
8 months ago
I think we practiced a similar question where we had to restrict access based on IP addresses. I feel like option A might be the right choice since it mentions checking the source IP.
upvoted 0 times
...
Evangelina
8 months ago
I remember we discussed how to configure path-based routing with the Application Load Balancer, but I'm not sure if we should modify the default rule or insert a new one for this scenario.
upvoted 0 times
...
Linwood
8 months ago
This seems like a good approach. I'm feeling pretty confident I can tackle this question now.
upvoted 0 times
...
Jospeh
8 months ago
Yeah, and we need to make sure we're checking the source IP address for the management app to only allow access from the on-premises IP range.
upvoted 0 times
...
Samira
8 months ago
I think the key here is setting up the load balancer rules to route the /management requests to the separate management application target group, while forwarding everything else to the web application target group.
upvoted 0 times
...
Myra
8 months ago
Okay, let's break this down step-by-step. We need to configure the load balancer to handle the management application separately from the web application, and restrict access to the management app to the company's on-premises IP address space.
upvoted 0 times
...
Josephine
8 months ago
This question seems straightforward, but I want to make sure I understand the requirements correctly before I start solving it.
upvoted 0 times
...
Cornell
8 months ago
Hmm, this looks like a tricky one. I'll need to think carefully about the right commands to extend the repair delay time.
upvoted 0 times
...
Shizue
8 months ago
If I remember correctly, targeting executive priorities is definitely important when communicating with them.
upvoted 0 times
...
Iluminada
8 months ago
Okay, I got this. I just need to compare the benefit-cost ratios and select the drug with the highest ratio. That will be the most efficient use of resources.
upvoted 0 times
...
Gayla
1 year ago
I can't believe they're even considering these options. It's like they're trying to make a secure system by throwing darts at a wall of AWS features.
upvoted 0 times
Jeffrey
1 year ago
Yeah, Option A definitely stands out as the most logical choice. It's important to have a clear plan when setting up a system like this.
upvoted 0 times
...
Lon
1 year ago
I agree, Option A is the way to go. It's important to have the right configuration for security.
upvoted 0 times
...
Novella
1 year ago
Option A seems like the best choice to me. It covers all the requirements and seems the most secure.
upvoted 0 times
...
...
Kattie
1 year ago
E? Really? Disabling stickiness for the web app? That's just asking for trouble. Not a chance.
upvoted 0 times
Kristofer
1 year ago
C) Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the X-Forwarded-For HTTP header for the on-premises IP address space. Forward requests to the management application target group if there is a match. Enable group-level stickiness in the rule attributes.
upvoted 0 times
...
Lyda
1 year ago
B) Modify the default rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-Ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is not a match. Enable group-level stickiness in the rule attributes.
upvoted 0 times
...
Tien
1 year ago
A) Insert a rule for the load balancer HTTPS listener. Configure the rule to check the path-pattern condition type for the /management prefix and to check the source-ip condition type for the on-premises IP address space. Forward requests to the management application target group if there is a match. Edit the management application target group and enable stickiness.
upvoted 0 times
...
...
Jaime
1 year ago
D is an interesting idea, but forwarding the management app to the web app target group doesn't seem quite right. We want to keep them separate.
upvoted 0 times
...
Eun
1 year ago
I'm not sure, but I think option B could also be a valid choice.
upvoted 0 times
...
Alba
1 year ago
C looks interesting, but I'm not a fan of relying on the X-Forwarded-For header for IP verification. That could be easily spoofed.
upvoted 0 times
Elin
1 year ago
User 2: Definitely, we need a more secure way to restrict access to the management application.
upvoted 0 times
...
Deandrea
1 year ago
User 1: I agree, relying on the X-Forwarded-For header for IP verification is risky.
upvoted 0 times
...
...
Lashandra
1 year ago
I agree with Alishia. Those steps seem to meet all the requirements.
upvoted 0 times
...
Glennis
1 year ago
I'm not sure about B. Modifying the default rule to handle the management app doesn't seem as clean as having a dedicated rule for it.
upvoted 0 times
...
Alishia
1 year ago
I think the correct steps are A and C.
upvoted 0 times
...
Johnna
1 year ago
Hmm, I think option A is the way to go. Separating the management application into its own target group and using path-based routing to restrict access to the on-premises IP space seems like a solid approach.
upvoted 0 times
...

Save Cancel