You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer
(ELB), web servers, application servers and a database. Your web application should only accept traffic from
pre-defined customer IP addresses.
Which two options meet this security requirement? (Choose two.)

A.
Configure web server VPC security groups to allow traffic from your customers’ IPs
B.
Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
C.
Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
D.
Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
Shouldn’t this be A and D
0
0
If outbound traffic is blocked per C and D then the web app will be unable to communicate. TCP requires two-way communication between endpoints.
2
2
Tricky one..
A:B
C – not correct because of “deny outbound traffic”
D – not correct since NACLs are stateless.
0
1
A (Technically Correct/Logically Incorrect): Why would you want to override ELB and access directly to Web server?
B (Correct)
C (Technically Correct/Logically Incorrect): Given than Security Group is stateful in nature; response traffic will be allowed to exit regardless of deny all outbound rules. However, this web server won’t be able to connect to internet for updates etc.
D. Straight No
2
0
With that, I would go with B and C.
6
0
A is wrong. ELB act as a proxy, so the source address of all traffic is ELB private IP.
D. Straight No.
So correct is B and C.
7
1
A no cause elb is in front of webserver
B yes else webserver will only receive elb private ip address
C yes cause Security Group attach to Elb his task to serve the traffic to web server security group stateful so if it will not consider this as new request and flow the traffic
D NACL STATELESS so no
10
1