ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 240 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 240
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company is deploying a web portal. The company wants to ensure that only the web portion of the application is publicly accessible. To accomplish this, the
VPC was designed with two public subnets and two private subnets. The application will run on several Amazon EC2 instances in an Auto Scaling group. SSL termination must be offloaded from the EC2 instances.
What should a solutions architect do to ensure these requirements are met?

  • A. Configure the Network Load Balancer in the public subnets. Configure the Auto Scaling group in the private subnets and associate it with the Application Load Balancer.
  • B. Configure the Network Load Balancer in the public subnets. Configure the Auto Scaling group in the public subnets and associate it with the Application Load Balancer.
  • C. Configure the Application Load Balancer in the public subnets. Configure the Auto Scaling group in the private subnets and associate it with the Application Load Balancer.
  • D. Configure the Application Load Balancer in the private subnets. Configure the Auto Scaling group in the private subnets and associate it with the Application Load Balancer.
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by sctmp at Nov. 3, 2020, 1:25 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
sctmp
Highly Voted 3 years, 8 months ago
C since Internet-facing Application Load Balancers (ALB) and Classic ELBs must be provisioned exclusively in public subnets.
upvoted 47 times
HuseinHasan
3 years, 8 months ago
Can you explain, why will you configure Auto scaling group in private subnet, as am confused with B and C
upvoted 3 times
Lucky_
3 years, 6 months ago
Servers are not exposed to Public, hence they are residing in Private Subnet. Web part is exposed which is in Public Subnet but the data is getting fetched from the servers. In order to provide seamless service in case of extreme traffic we need to configure Auto Scaling in private subnets.
upvoted 2 times
...
ramisohail
3 years, 8 months ago
because the the machines are residing in the private subnets to be secure but they are published over the internet so for maximum security you can place the application load balancer in the public subnet and it will forward the traffic to the private auto scaling group and it will handle the ssl offloading so it has to be an application aware layer 7 load balancer.
upvoted 24 times
aguy9
3 years, 7 months ago
Yep, agree C is the answer.
upvoted 1 times
...
rcher
3 years, 7 months ago
Well the question is asking for SSL to be offloaded at the EC2, not ALB.
upvoted 1 times
soti84
3 years, 7 months ago
SSL offloading should happen in the public subnet level / DMZ layer so the ALB should do that.
upvoted 3 times
...
Load full discussion...
...
...
...
...
MiNinja
Highly Voted 3 years, 7 months ago
After extensive research, I found that SSL termination happens on ALB, and since last year TLS termination can be done on NLB. Answer here would therefore be C.
upvoted 28 times
KALRAV
3 years, 7 months ago
thanks, would have been better if you shared few links.
upvoted 3 times
dave0808
3 years, 7 months ago
"Until now, you had to handle the termination process within each EC2 instance. This added to the load on the instance and also required you to install an X.509 certificate on each instance. With this new release, you can simply upload the certificates to your AWS account and we’ll take care of getting them distributed to the load balancers." https://aws.amazon.com/blogs/aws/elastic-load-balancer-support-for-ssl-termination/
upvoted 5 times
bluetaurianbull
3 years, 7 months ago
Where does it say "that SSL termination happens on ALB, and since last year TLS termination can be done on NLB" To me it says ALL ELBs (ALB, NLB etc) now support SSL Termination
upvoted 3 times
...
...
...
...
akbarijoon
Most Recent 1 year, 7 months ago
Selected Answer: C
Option C correctly positions the Application Load Balancer in public subnets to handle incoming web traffic, offload SSL termination, and associates the Auto Scaling group in private subnets to keep the application instances private, making it the most appropriate choice to meet the requirements.
upvoted 1 times
...
queen101
2 years, 9 months ago
CCCCCCCCCCCCCC
upvoted 1 times
...
nexus2020
2 years, 10 months ago
IMO, no option is right, and here is why. If SSL is terminated on instances, then it does not matter public subnet or private subnet, ALB can NOT support SSL passthough, so we will need 2 NLB, one for public subnet, and one for private subnet.
upvoted 1 times
...
cloud_collector
2 years, 10 months ago
C should be better. https://medium.com/awesome-cloud/aws-difference-between-application-load-balancer-and-network-load-balancer-cb8b6cd296a4
upvoted 1 times
...
marklovesaws143
2 years, 10 months ago
Selected Answer: C
CCCCCCCCCCC
upvoted 3 times
...
bora4motion
2 years, 10 months ago
The traffic will hit a LB first. Since it's SSL you have to go with a ALB. C
upvoted 1 times
...
slcheng
2 years, 10 months ago
Selected Answer: C
AWS best practice..
upvoted 2 times
...
achrafsky
3 years ago
Selected Answer: C
C for sure
upvoted 2 times
...
leebug
3 years, 1 month ago
A since SSL termination is delegated to EC2 instances.
upvoted 2 times
...
goblin123
3 years, 2 months ago
Those, who say A, read carefully: "Configure the Network Load Balancer in the public subnets. Configure the Auto Scaling group in the private subnets and associate it with the Application Load Balancer." It says NLB, then ALB :)))) This rules out the option A automatically.
upvoted 3 times
naveenagurjara
2 years, 11 months ago
How? you can daisy chain NLB with an ALB and ASG behind the internal ALB.
upvoted 1 times
...
...
kitkwok
3 years, 3 months ago
Q: How do I use Tape Gateway with S3 Glacier Deep Archive storage class? A: When creating new tapes through the Storage Gateway console or API, you can set archival storage target to S3 Glacier Deep Archive. When your backup software ejects the tapes, they will be archived to S3 Glacier Deep Archive. You can retrieve a virtual tape archived in S3 Glacier Deep Archive to S3 using standard retrieval method typically within 12 hours.
upvoted 1 times
...
Jeffdu
3 years, 3 months ago
Selected Answer: C
for offloading purposes from EC2 mentioned, it has has to be application level not network
upvoted 2 times
...
SmartDude
3 years, 3 months ago
Selected Answer: C
SSL happens at layer 6 of OSI. NLB is at Layer 4, So only ALB can do it.
upvoted 6 times
...
Hybrid_Cloud_boy
3 years, 3 months ago
Selected Answer: A
A - because ALB requires SSL termination, NLB you can bypass SSL and offload to EC2 like the requirements dictate.
upvoted 5 times
...
Hybrid_Cloud_boy
3 years, 3 months ago
"SSL termination must be delegated to a separate instance on Amazon EC2." To me, this means NLB not ALB. This reads as if they need SSL termination to happen on an EC2-hosted proxy... which would force use of NLB since ALB operates in full-proxy mode. Answer is 100% A, unless that SSL termination statement is missing some words :p
upvoted 2 times
goblin123
3 years, 2 months ago
"Configure the Network Load Balancer in the public subnets. Configure the Auto Scaling group in the private subnets and associate it with the Application Load Balancer." read carefully, it says NLB and then ALB. You're unlikely going to keep two ELBs, don't you? So, option A is wrong as well.
upvoted 1 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel