Question #578
A company is deploying a web application on AWS and needs to ensure encrypted traffic between clients and the backend servers. They want to use AWS Certificate Manager (ACM) for managing SSL certificates wherever possible. Which setup meets these requirements?
Use an Application Load Balancer (ALB) with an ACM certificate, forwarding traffic to instances on port 80. Install a third-party SSL certificate on each instance.
Configure an ALB with an ACM certificate, terminating SSL at the ALB. Set up an HTTPS listener on the ALB forwarding to port 443 on instances, which have a third-party certificate installed.
Deploy a Network Load Balancer (NLB) with an ACM certificate, forwarding traffic to instances using TLS on port 443. Install the same ACM certificate on each instance.
Use CloudFront with an ACM certificate, pointing to an ALB with an HTTP listener. Install a third-party certificate on the ALB.
Explanation
Answer B is correct because:
1. ALB supports SSL termination with ACM, encrypting client-to-ALB traffic.
2. The ALB forwards traffic to instances via HTTPS (port 443), ensuring encryption between ALB and backend.
3. ACM cannot install certificates directly on instances, so a third-party certificate is used there, adhering to 'use ACM where possible'.
Other options fail because:
- A: Uses HTTP (port 80) between ALB and instances, breaking encryption.
- C: NLBs cannot terminate SSL/TLS with ACM certificates.
- D: ALB uses HTTP listener, leaving CloudFront-to-ALB traffic unencrypted.
Key Points:
- ALB + ACM enables SSL termination at the load balancer.
- Backend encryption requires certificates on instances (third-party if ACM isn't supported).
- NLBs/CloudFront may not fully meet encryption requirements in this scenario.
Answer
The correct answer is: B