Question #1079
A company runs a web application behind an AWS Application Load Balancer (ALB) configured with listeners for both HTTP (port 80) and HTTPS (port 443). To enhance security, they need to ensure all client requests are automatically redirected from HTTP to HTTPS while maintaining the original request URI and query parameters. Which solution will achieve this with the least operational overhead?
Modify the ALB's security group to block inbound HTTP traffic.
Configure an Amazon CloudFront distribution in front of the ALB with a redirect behavior from HTTP to HTTPS.
Add a listener rule on the ALB's HTTP listener to redirect all requests to HTTPS using a 301 response.
Replace the ALB with a Gateway Load Balancer (GWLB) that supports TLS termination.
Explanation
Option C is correct because Application Load Balancers (ALBs) natively support listener rules that can redirect HTTP (port 80) traffic to HTTPS (port 443) using a 301 (permanent redirect) or 302 (temporary redirect) response. This ensures the original URI and query parameters are preserved, meeting the security requirement. Configuring this rule directly on the ALB avoids introducing new services (e.g., CloudFront in Option B) or disrupting existing traffic (e.g., blocking HTTP entirely in Option A).
Why other options are incorrect:
- A: Blocking HTTP traffic via security groups would result in connection errors, not redirects.
- B: CloudFront adds complexity and cost, making it less efficient than ALB-native rules.
- D: Gateway Load Balancers (GWLB) are designed for third-party appliances, not HTTP/HTTPS traffic handling.
Key Points:
1. ALB listener rules can redirect HTTP to HTTPS while preserving the request path and parameters.
2. A 301 redirect is SEO-friendly and ensures clients switch to HTTPS permanently.
3. Native ALB features minimize operational overhead compared to external solutions.
Answer
The correct answer is: C