A company requires deep packet inspection on encrypted traffic to its web servers in its VPC.
Which solution will meet this requirement?
A.
Decrypt traffic by using an Application Load Balancer (ALB) that is configured for TLS termination. Configure the ALB to send the traffic to an AWS Network Firewall endpoint for the deep packet inspection.
B.
Decrypt traffic by using a Network Load Balancer (NLB) that is configured for TLS termination. Configure the NLB to send the traffic to an AWS Network Firewall endpoint for the deep packet inspection.
C.
Decrypt traffic by using an Application Load Balancer (ALB) that is configured for TLS termination. Configure the ALB to send the traffic to an AWS WAF endpoint for the deep packet inspection.
D.
Decrypt traffic by using a Network Load Balancer (NLB) that is configured for TLS termination. Configure the NLB to send the traffic to an AWS WAF endpoint for the deep packet inspection.
Ans B
https://aws.amazon.com/network-firewall/faqs/
Can AWS Network Firewall inspect encrypted traffic?
AWS Network Firewall does not currently support deep packet inspection for encrypted traffic. To work around this limitation, you can decrypt traffic using a Network Load Balancer (NLB) before sending it to an AWS Network Firewall endpoint. Also, for HTTPS traffic, AWS Network Firewall can inspect the domain name provided by the Server Name Indicator (SNI) during the TLS handshake.
Answer of above FAQ has changed to:
AWS Network Firewall does support deep packet inspection for encrypted traffic.
So this question is not likely to come up with this wording.
i will still go for A even though now NLB supports TLS and all, here is why;
key difference between them when it comes to handling decrypted traffic:
ALBs operate at the request level (layer 7), which allows them to inspect the content of the traffic and make routing decisions based on that. This makes them suitable for use cases like the one in Option A, where the decrypted traffic needs to be sent to AWS Network Firewall for deep packet inspection.
NLBs operate at the connection level (layer 4), which means they can’t inspect the content of the traffic. They make routing decisions based on IP protocol data, such as source IP, source port, destination IP, and destination port. This makes them less suitable for use cases like the one in Option B, where the decrypted traffic needs to be inspected.
Your reasoning does not make sense. ALB and NLB are mainly to forward traffic - they don't "inspect" traffic as you claimed. Once the TLS traffic is decrypted, the traffic self is not altered by the LB so the AWS Network Firewall can do DPI anyways.
Option A, which suggests using an ALB for TLS termination, is incorrect because ALB only supports TLS termination on port 443 and may not meet the requirement if the traffic is not using port 443, which in this case is not being explicit.
Option C and Option D are not valid due AWS WAF is not suitable for deep packet inspection.
A is the best answer because the ALB is designed to load balance http and https requests. Furthermore terminating TLS traffic using an (ALB) is a common practice for enterprise networks. AWS Network Firewall provides deep packet inspection to analyze malicious traffic flowing in and out of the VPC. A
The Answer is B. With ALB you can only create TLS listener for port 443 but with NLB you can create TLS listener of your choice.... Remember, the traffic that Network firewall is going to inspect dosent necessarily to be https...
NLB cannot perform TLS termination. So even if NLB can decrypt traffic, you need another appliance behind that NLB, before sending the traffic to Network Firewall. ALB can handle all of the required, decrypt and TLS termination, before send to Network Firewall.
https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall-with-vpc-routing-enhancements/
“ In the figure 3 example, an Application Load Balancer (ALB) enables you to offload TLS. Decrypted HTTP traffic is sent to backend application targets which could be in a different AZ enabling HTTP header and payload inspection. Following our principle, traffic from ALB to backend target is inspected in the same AZ as the client (ALB). The application in turn requires connectivity to the relational (main/active node) database. This traffic once again is processed closer to the client (application EC2 instance) and traffic is returned symmetrically.”
Unlike a Classic Load Balancer or an Application Load Balancer, a Network Load Balancer can't have application layer (layer 7) HTTP or HTTPS listeners. It only supports transport layer (layer 4) TCP listeners. HTTP and HTTPS traffic can be routed to your environment over TCP.
AWS Network Firewall’s intrusion prevention system (IPS) provides active traffic flow inspection so you can identify and block vulnerability exploits using signature-based detection
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
D2
Highly Voted 2 years, 7 months agoTofu13
2 years agoArad
Most Recent 1 year agoyorkicurke
1 year, 6 months agonznzwell
1 year, 3 months agodante_2k5
2 years agovherman
2 years agoToptip
2 years agoITGURU51
2 years, 1 month agoCyp
2 years, 2 months agoexamaws
2 years, 3 months agonairj
2 years, 2 months agorijub2022
2 years, 3 months agosakibmas
2 years, 5 months agoCiph
2 years, 5 months agosecdaddy
2 years, 5 months agoTeknoklutz
2 years, 6 months agoFyssy
2 years, 6 months agoryogoku
2 years, 6 months agoTerrenceC
2 years, 5 months agoBalki
2 years, 6 months ago