Logo
AWS Certified Solutions Architect - Associate / Question #1964 of 1019

Question #1964

An organization uses AWS Organizations to manage multiple AWS accounts. A centralized security VPC in the network account hosts a third-party intrusion detection system (IDS). All traffic between application accounts must be inspected by the IDS before reaching its destination.

Which solution will meet these requirements?

A

Deploy a Network Load Balancer (NLB) in the network account to direct traffic to the IDS. Configure application accounts to route traffic through the NLB using a Gateway VPC endpoint in each application account.
B

Deploy an Application Load Balancer (ALB) in each application account to forward traffic directly to the IDS in the network account.
C

Deploy a Gateway Load Balancer (GWLB) in the network account to send traffic to the IDS. Configure application accounts to route traffic through the GWLB using a Gateway Load Balancer endpoint in each application account.
D

Deploy an interface VPC endpoint in the network account to allow application accounts to send traffic directly to the IDS.

Explanation

Option C is correct because:
- Gateway Load Balancer (GWLB) is purpose-built for integrating third-party appliances (e.g., IDS) into VPC traffic flows. It uses the GENEVE protocol to encapsulate traffic and send it to the IDS for inspection.
- GWLB endpoints in each application account allow cross-account traffic routing to the centralized GWLB in the network account, ensuring all traffic is inspected by the IDS.

Why other options are incorrect:
- A: NLB cannot use Gateway VPC endpoints (designed for AWS services, not NLBs). Cross-account routing via NLB is complex and not scalable.
- B: ALB operates at Layer 7 (HTTP/HTTPS only) and requires per-account deployment, defeating centralized inspection.
- D: Interface VPC endpoints are for accessing AWS services privately, not routing general traffic to third-party appliances.

Key Points:
1. GWLB is the AWS-recommended solution for third-party security appliances.
2. GWLB endpoints enable cross-account traffic redirection.
3. Centralized inspection avoids duplicating resources across accounts.

Answer

The correct answer is: C