Logo
AWS Certified Solutions Architect - Professional / Question #650 of 529

Question #650

A financial institution is migrating its legacy web application to AWS using Amazon EC2 instances within an Auto Scaling group in a dedicated VPC. The institution relies on an on-premises intrusion detection system (IDS) that lacks cloud-native capabilities. The security team requires real-time inspection of all inbound and outbound VPC traffic using the existing IDS, ensuring no performance degradation. The solution must be highly available within a single AWS Region. Which two steps should a solutions architect take to meet these requirements? (Choose two.)

A

Deploy the IDS on EC2 instances in a new Auto Scaling group within the existing VPC
B

Configure a Network Load Balancer to distribute traffic to the web application instances
C

Use an Application Load Balancer to route traffic through the IDS instances
D

Implement a Gateway Load Balancer in each Availability Zone to redirect traffic to the IDS
E

Establish a VPC peering connection to centralize traffic inspection

Explanation

The solution requires real-time inspection of all VPC traffic using an existing on-premises IDS deployed on AWS.

- A is correct because deploying the IDS on EC2 instances in an Auto Scaling group within the VPC ensures scalability and high availability, meeting the requirement for no performance degradation.
- D is correct because Gateway Load Balancer (GWLB) is designed to inspect traffic using third-party appliances (like IDS). Deploying GWLB in each AZ ensures traffic is redirected to the IDS instances, providing redundancy and high availability.

Other options are incorrect:
- B: A Network Load Balancer (NLB) distributes traffic but does not inherently route it through the IDS.
- C: Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and cannot inspect all traffic types.
- E: VPC peering connects VPCs but does not enforce traffic inspection via the IDS.

Key Points: Use GWLB for traffic redirection to third-party appliances and Auto Scaling for HA. Avoid solutions that do not enforce full traffic inspection or lack scalability.

Answer

The correct answer is: AD