Question #1773
A global company hosts its web application on Amazon EC2 instances in multiple AWS Regions. The application uses HTTP protocols and requires high availability, low latency, and protection against OWASP Top 10 vulnerabilities. The architecture must include static IP addresses for consistent access.
What should the solutions architect implement to satisfy these requirements?
Place EC2 instances behind Application Load Balancers (ALBs) in each Region. Configure AWS WAF on each ALB. Use AWS Global Accelerator with the ALBs as endpoints to route traffic through static IPs.
Deploy EC2 instances with Network Load Balancers (NLBs) in each Region. Attach AWS WAF to an Amazon CloudFront distribution. Set up Route 53 with latency-based routing to the NLBs.
Use Application Load Balancers (ALBs) fronting EC2 instances across Regions. Create an Amazon CloudFront distribution with ALB origins and associate AWS WAF. Configure Route 53 with geolocation routing.
Implement Network Load Balancers (NLBs) in each Region. Deploy AWS WAF on the NLBs. Create a Global Accelerator with NLB endpoints and static IPs.
Explanation
Answer A is correct because:
1. AWS WAF on ALB: ALBs support AWS WAF integration, protecting against OWASP Top 10 vulnerabilities.
2. Global Accelerator: Provides static IP addresses and routes traffic to the nearest Region for low latency and high availability.
3. ALB as Endpoints: ALBs handle HTTP traffic effectively, unlike NLBs, which are better suited for TCP/UDP.
Other options fail because:
- B/D: NLBs cannot host AWS WAF directly; WAF requires ALB/CloudFront.
- C: CloudFront lacks static IPs (uses DNS), and geolocation routing doesn't ensure low latency.
- D: Invalid WAF attachment to NLB.
Key Points: Use ALB + AWS WAF for HTTP/security; Global Accelerator for static IPs and global routing.
Answer
The correct answer is: A