PrepAway - Latest Free Exam Questions & Answers

Which of the following options would you consider for configuring the web server infrastructure?

You are designing an SSUTLS solution that requires HTTPS clients to be authenticated by the Web server using
client certificate authentication. The solution must be resilient.
Which of the following options would you consider for configuring the web server infrastructure? (Choose 2
answers)

PrepAway - Latest Free Exam Questions & Answers

A.
Configure ELB with TCP listeners on TCP/4d3. And place the Web servers behind it.

B.
Configure your Web servers with EIPS Place the Web servers in a Route53 Record Set and configure health
checks against all Web servers.

C.
Configure ELB with HTTPS listeners, and place the Web servers behind it.

D.
Configure your web servers as the origins for a CloudFront distribution. Use custom SSL certificates on your
CloudFront distribution.

Explanation:

21 Comments on “Which of the following options would you consider for configuring the web server infrastructure?

  1. Kumar G says:

    A is not correct , since you can’t assign client certificate for TCP listeners in ELB.

    C is correct , Because you will have option to assign certification when you choose https listeners.

    D also have option to choose custom certificate/Default CloudFront Certificate for your web servers.




    0



    2
  2. muthu says:

    .In the option a front end listener is TCP .not mentioned about SSL.But in question mentioned HTTPs clients .So SSL (X.509) certificate is must for HTTPS. so C and D are correct.




    0



    0
  3. freelyfly84 says:

    A is 100% not the answer.
    Because TCP/443 or HTTPS listener either way you can configure, but you can only upload ssl certificate on HTTPS listener.

    And we already know B also can’t be the answer.

    So, C and D are only left.




    1



    1
  4. ned kelly says:

    client cert is the key.

    if you use elb then it must be a simple tcp443 to pass the flow to the server so A.
    as bad as B is for a design, I think it is the only other option that can do client auth.

    BTW, I hate this question.




    0



    0
  5. Manish says:

    C & D.

    Explanation:
    http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-listener-config.html
    HTTPS/SSL Listeners
    You can create an HTTPS load balancer with the following security features.
    SSL Server Certificates
    If you use HTTPS or SSL for your front-end listener, you must deploy an X.509 certificate (SSL server certificate) on your load balancer. The load balancer decrypts requests from clients before sending them to the back-end instances (known as SSL termination). For more information, see SSL/TLS Certificates for Classic Load Balancers.
    https://aws.amazon.com/cloudfront/custom-ssl-domains/

    Custom SSL Options for Amazon CloudFront
    Custom SSL certificate support lets you deliver content over HTTPS using your own domain name and your own SSL certificate. This gives visitors to your website the security benefits of CloudFront over an SSL connection that uses your own domain name in addition to lower latency and higher reliability.




    0



    0
  6. kirrim says:

    This question is regarding “two-way” SSL authentication.

    Currently, ELBs cannot support authentication for the client side SSL/TLS cert required for two-way SSL authentication to succeed. Therefore, you only have two options:

    A. Configure the ELB with a TCP/443 listener. This is effectively TLS “pass through” mode, where the TLS connection does not terminate on the ELB, it is passed through and decrypted on the back-end servers. This will cause quite a bit of CPU overhead on the back-end instances, due to the lack of TLS offload that cannot happen on the ELB, so an auto-scaling group which monitors the web server CPU metrics would be essential here. (Not that you probably wouldn’t have it anyway, just saying!)

    B. Don’t use an ELB. Just have the web servers act as the endpoint for the traffic, and let Route53 DNS serve in the place of the ELB by load balancing client DNS queries across the web servers.

    C and D are not options here, since neither are supported by AWS.




    6



    0
  7. donkeynuts says:

    This quite a hectic question, I would go for A and B. Both are possible. C is wrong, because then you terminating your SSL on the ELB and not on the instances themselves. D i think is wrong because cloudfront doesnt support client authentication with client side SSL Certs.




    1



    0

Leave a Reply

Your email address will not be published. Required fields are marked *