Exam AWS Certified Security - Specialty topic 1 question 240 discussion

C /Network Load Balancer is optimized to handle sudden and volatile traffic patterns while using a single static IP address per Availability Zone. Network Load Balancer also supports TLS termination, preserves the source IP of the clients, and provides stable IP support and Zonal isolation

C. lowest latency + e-2-e encryption.

NBL with TCP listener to pass through TLS traffic to the containers for end-to-end encryption (encrypt/decrypt ops handled by the containers). C is the right answer here.

C. Configure a Network Load Balancer with a TCP listener to pass through TLS traffic to the containers. To achieve the MOST scalability and LOWEST latency for end-to-end encryption between clients and Docker containers in Amazon ECS, configuring a Network Load Balancer (NLB) with a TCP listener to pass through TLS traffic to the containers is the optimal solution. By allowing the NLB to directly route the encrypted traffic without terminating or re-encrypting it, the solution minimizes processing overhead and latency, ensuring high scalability and efficient handling of volatile traffic patterns. This approach eliminates the need for additional decryption and encryption steps, resulting in improved performance.

Option C is the most suitable because it allows the Network Load Balancer (NLB) to act as a pass-through for TLS traffic without terminating the SSL/TLS connection. This means that the TLS traffic remains encrypted all the way from the clients to the containers, ensuring end-to-end encryption.

C for obvious reasons... For those who curious regarding D: ...multivalue answer routing is a feature of Amazon Route 53, which is a highly scalable Domain Name System (DNS) web service that translates domain names to IP addresses. Multivalue answer routing allows you to configure Route 53 to respond to DNS queries with multiple IP addresses for a single domain name. When a client requests a DNS resolution for a domain name with multivalue answer routing enabled, Route 53 randomly selects and returns one of the configured IP addresses, distributing traffic across the different resources associated with the domain name. This feature is useful when you have multiple resources that can serve a single application or website, and you want to distribute traffic evenly across all available resources. It also provides a measure of fault tolerance, as if one of the resources becomes unavailable, Route 53 will automatically route traffic to the remaining resources. https://repost.aws/knowledge-center/multivalue-versus-simple-policies

Anything with re-encryption will cause latency. Idk what is happening in option D. so C is the answer.

Selected C

NLB with TCP passthough is detailled below. Providing end-to-end TLS communication across ECS services without offloading or terminating the certificates, gives you the ability to achieve high throughput at ultra-low latency for applications that require the TCP protocol. https://aws.amazon.com/blogs/compute/maintaining-transport-layer-security-all-the-way-to-your-container-using-the-network-load-balancer-with-amazon-ecs/

C is the only option where there is no reencryption hence lowest latency

Answer C. As it's end end encryption the TLS should ends at the correct destination and not the ALB.

can I ask why not A?

Answer: C

The answer is C