Question #842
A financial institution is deploying a third-party intrusion detection system (IDS) from AWS Marketplace to monitor and secure traffic exiting its AWS environments. The IDS must be deployed in a shared services VPC, with all outbound internet traffic routed through the IDS appliances. A solutions architect must design a solution that ensures high reliability and rapid failover between appliances within a single AWS Region. The institution has already established routing from the shared services VPC to other VPCs. Which steps should the solutions architect recommend to fulfill these requirements? (Choose three.)
Deploy two IDS appliances in the shared services VPC, each in a different Availability Zone.
Configure a Network Load Balancer in the shared services VPC. Create a target group and register both IDS appliance instances with it.
Deploy a Gateway Load Balancer in the shared services VPC. Create a target group and register both IDS appliance instances with it.
Create a VPC interface endpoint. Update the shared services VPC route table to direct traffic from other VPCs to this endpoint.
Deploy two IDS appliances in the shared services VPC, both in the same Availability Zone.
Create a VPC Gateway Load Balancer endpoint. Update the shared services VPC route table to direct traffic from other VPCs to this endpoint.
Explanation
A: Deploying IDS appliances in different AZs ensures redundancy and rapid failover. E (same AZ) lacks redundancy.
C: Gateway Load Balancer (GWLB) is designed for third-party appliances like IDS, unlike NLB (B), which lacks advanced traffic inspection features.
F: A GWLB endpoint routes traffic from other VPCs to the IDS via updated route tables. D (interface endpoint) is for AWS services, not traffic routing.
Key Points: Use multi-AZ deployments for HA, GWLB for virtual appliances, and GWLB endpoints for centralized traffic routing.
Answer
The correct answer is: ACF