A company runs a web application on Amazon EC2 instances in a VPC private subnet. An Application Load Balancer (ALB) in the public subnets directs traffic to those EC2 instances. The company wants to restrict inbound traffic to the EC2 instances so that only the ALB can access them, preventing access from any other source. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Configure the security group for the EC2 instances to only allow traffic that comes from the security group for the ALB..
Why this is the answer
The most secure and effective way to restrict inbound traffic to EC2 instances from only the ALB is to configure the EC2 instances' security group to allow traffic from the ALB's security group. This creates a direct, secure channel, ensuring only the ALB can initiate connections to the instances. Incorrect options: Configuring a route in a route table to direct traffic from the internet to private IP addresses would expose the EC2 instances directly to the internet, bypassing the ALB and violating the requirement to restrict access. Moving EC2 instances to a public subnet and assigning Elastic IPs would also expose them directly to the internet, making them publicly accessible and defeating the purpose of restricting access to the ALB. Configuring the ALB's security group to allow any TCP traffic on any port is a security best practice for the ALB itself, but it does not restrict traffic to the EC2 instances; it only controls what traffic the ALB accepts.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed