An application serves clients in more than 20,000 retail storefronts worldwide. Backend web services run on Amazon EC2 behind an Application Load Balancer (ALB) and are exposed over HTTPS on port 443. Retail locations communicate over the public internet and register their allocated ISP IP address. The security team wants to restrict access to only the registered IP addresses. What should a solutions architect do?
Choose an answer
Tap an option to check your answer.
Correct answer: Associate an AWS WAF web ACL with the ALB. Use IP rule sets to filter traffic and update the IP addresses in the rule to include the registered addresses..
Why this is the answer
Associating an AWS WAF web ACL with the ALB and using IP rule sets is the most scalable and manageable solution. AWS WAF allows you to define IP sets containing thousands of IP addresses and apply them as rules to allow or block traffic. This directly addresses the requirement to restrict access to registered IP addresses. Deploying AWS Firewall Manager is overkill for a single ALB and primarily used for centralized management across multiple accounts or resources, not for defining IP restrictions on a single ALB. Storing IP addresses in DynamoDB with a Lambda authorizer adds unnecessary complexity and latency compared to native WAF capabilities. Configuring network ACLs on the subnet is impractical due to the 20,000 IP addresses; NACLs have a limited number of rules per ACL (typically 20 inbound and 20 outbound), making this solution unscalable.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed