Question #917
A company is hosting a web application on Amazon EC2 instances within an Auto Scaling group behind a public-facing Application Load Balancer (ALB). The application must only be accessible to users from a specific geographic region, and the company needs to log all blocked access attempts. The solution must minimize administrative overhead.
Create an IPSet with IP ranges from the allowed region. Configure an AWS WAF web ACL with a rule to block requests not matching the IPSet. Associate the web ACL with the ALB.
Configure an AWS WAF web ACL with a geographic match rule to block requests originating outside the specified region. Associate the web ACL with the ALB.
Use a network ACL (NACL) to deny traffic from IP ranges outside the specified region. Associate the NACL with the ALB's subnets.
Create a security group rule allowing HTTP/HTTPS traffic only from the specified region's IP ranges. Associate the security group with the EC2 instances.
Explanation
Answer B is correct because AWS WAF provides built-in geographic match rules that block requests based on country codes, eliminating the need to manually maintain IP ranges (as in A, C, or D). Associating the web ACL with the ALB ensures regional restrictions are enforced at the application layer. WAF also supports logging via AWS Firewall Manager or Amazon Kinesis Data Firehose, meeting the logging requirement.
Other options are incorrect:
- A requires manual updates to the IPSet as regional IP ranges change.
- C uses NACLs, which operate at the subnet level and lack native geo-blocking, requiring manual IP management.
- D uses security groups, which cannot enforce geographic rules directly and would require constant IP updates.
Key Points:
1. AWS WAF geo-match rules simplify regional restrictions.
2. WAF logging captures blocked attempts.
3. ALB integration ensures scalable enforcement.
Answer
The correct answer is: B