Question #1346
A solutions architect must design a secure VPC network hosting Amazon EC2 instances in a private subnet. The instances require access to specific external API endpoints via their URLs for data synchronization, while blocking all other internet traffic. Which solution meets these requirements?
Deploy an AWS Network Firewall and configure a stateful rule group with domain allow lists for the approved API endpoints.
Use AWS Shield Advanced with a web ACL to allow traffic to the API endpoints and protect against DDoS attacks.
Update the security group outbound rules to permit HTTPS traffic only to the IP addresses of the API endpoints.
Implement a NAT Gateway in the public subnet and use prefix lists in the route table to restrict outbound traffic.
Explanation
The correct answer is A. AWS Network Firewall provides granular control over traffic using stateful rule groups, which can allow or block traffic based on domain names (e.g., API endpoints). This ensures EC2 instances in a private subnet can access only approved URLs while blocking other internet traffic.
Why other options are incorrect:
- B: AWS Shield Advanced and web ACLs (WAF) focus on DDoS protection and HTTP/HTTPS request filtering, not outbound traffic control.
- C: Security groups use IP-based rules, which are unreliable for dynamic API endpoints with changing IPs.
- D: NAT Gateways enable internet access but lack domain-based filtering; prefix lists rely on static IP ranges, which are impractical for scalable API endpoints.
Key Points:
- Use AWS Network Firewall for domain-based traffic filtering.
- Stateful rules track connections and enforce allow/deny policies based on FQDNs.
- Private subnets require NAT Gateways for internet access, but traffic filtering must be handled separately.
Answer
The correct answer is: A