A solutions architect must secure a VPC that hosts Amazon EC2 instances containing highly sensitive data in a private subnet. Company policy allows these instances to access only approved third-party software repositories on the internet using the third party’s URLs. All other internet traffic must be blocked. Which solution meets these requirements?
Choose an answer
Tap an option to check your answer.
Correct answer: Update the route table for the private subnet to route the outbound traffic to an AWS Network Firewall firewall. Configure domain list rule groups..
Why this is the answer
AWS Network Firewall is the correct choice because it supports domain list rule groups, allowing precise control over outbound traffic to specific URLs. By routing traffic through the firewall, you can enforce the policy of permitting access only to approved third-party repositories while blocking all other internet traffic. AWS WAF is designed for protecting web applications from common web exploits, not for controlling outbound traffic from EC2 instances. Security group rules operate at the IP address and port level, and while they can restrict outbound traffic, they cannot filter based on specific URLs. An Application Load Balancer (ALB) is used for distributing incoming application traffic and does not provide URL-based filtering for outbound internet access from ECstances.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed