Question #1992
A company is designing a web application with an internet-facing Application Load Balancer (ALB). The company needs the ALB to receive HTTPS web traffic from the public internet on port 443. The ALB must send this traffic to web application servers hosted on Amazon EC2 instances using HTTPS on port 8443. Additionally, the ALB must perform health checks on the EC2 instances over HTTPS on port 9443. Which combination of security group configurations for the ALB will meet these requirements? (Choose three.)
Allow HTTPS inbound traffic from 0.0.0.0/0 for port 443.
Allow all outbound traffic to 0.0.0.0/0 for port 8443.
Allow HTTPS outbound traffic to the EC2 instances for port 8443.
Allow HTTPS inbound traffic from the EC2 instances for port 8443.
Allow HTTPS outbound traffic to the EC2 instances for the health check on port 9443.
Allow HTTPS inbound traffic from the EC2 instances for the health check on port 9443.
Explanation
The ALB's security group must:
1. Allow inbound HTTPS (443) from the public internet (A) to receive traffic.
2. Allow outbound HTTPS (8443) to EC2 instances (C) to forward traffic.
3. Allow outbound HTTPS (9443) to EC2 instances (E) for health checks.
Why other options are incorrect:
- B: Overly permissive (allows all outbound traffic to 0.0.0.0/0).
- D/F: Inbound rules from EC2 are unnecessary since the ALB initiates connections.
Key Points:
- ALB security groups control traffic it initiates (outbound rules).
- EC2 security groups must allow inbound from ALB on 8443/9443.
- Security groups are stateful; return traffic is automatically allowed.
Answer
The correct answer is: ACE