A multinational banking institute is using AWS infrastructure for deploying its application servers.
A new application is being developed on a fleet of EC2 servers in VPC spread across multiple AZ & will be having ALB in the front-end.
Global users would be accessing this banking application which needs to be highly secure & high-performance.
The security team is concerned about the security of this application & needs a new solution to mitigate DDoS attacks. Which of the following solutions will meet the requirement?
Click on the arrows to vote for the correct answer
A. B. C. D. E. F.Correct Answer - A.
When ALB is used as an endpoint for AWS Global Accelerator, all traffic towards this endpoint flows over AWS Global Accelerator.
For this, a public IP address is not required to be assigned to ALB, but an internet gateway is required to be attached to VPC to indicate internet traffic is accepted in this VPC.With Internet traffic flowing only via a single-entry point of AWS Global Accelerator, it will help reduce DDoS attacks.
Option B is incorrect as with internal ALB used as an endpoint for AWS Global Accelerator, Public IP is not required to be assigned to ALB.Options C & D are incorrect as Internet Gateway needs to be attached to VPC with an internal ALB created.
For more information on Secure VPC connections in AWS Global Accelerator, refer to the following URL.
https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc-connections.htmlThe best solution to mitigate DDoS attacks for the multinational banking institute's application on AWS infrastructure is to associate the Application Load Balancer (ALB) with AWS Global Accelerator.
AWS Global Accelerator is a service that enables the customers to improve the availability and performance of their applications by using anycast IP addresses that are announced from multiple AWS edge locations worldwide. It directs traffic to optimal AWS endpoints over the AWS global network, which helps to improve the availability and performance of the customer's applications. In addition, Global Accelerator helps to mitigate Distributed Denial of Service (DDoS) attacks by using AWS Shield, which provides always-on detection and automatic inline mitigation that can quickly minimize the impact of DDoS attacks.
Among the given options, there are two options for creating an internal ALB in a VPC with an internet gateway attached. This configuration exposes the ALB directly to the internet, which increases the risk of DDoS attacks. Option A is a better choice among these two as it does not have any Public IP address assigned to it. In contrast, Option B has a public IP address assigned to the ALB, which increases the risk of DDoS attacks.
Option C creates an internal ALB in a VPC without an internet gateway attached, and assigns an Elastic IP address to the ALB. This configuration does not expose the ALB directly to the internet, but it does not provide any additional security measures to mitigate DDoS attacks.
Option D is the best choice among all given options. It suggests associating the ALB with AWS Global Accelerator. This configuration leverages AWS Global Accelerator's capabilities to improve availability and performance while also providing automatic DDoS attack mitigation using AWS Shield.
Option E creates an internal ALB in a VPC without an internet gateway attached and assigns a Private IP address to the ALB. This configuration does not expose the ALB directly to the internet, but it also does not provide any additional security measures to mitigate DDoS attacks.
Option F is the same as Option D, suggesting the association of ALB with AWS Global Accelerator, making it a valid solution.
Therefore, the best solution to mitigate DDoS attacks for the multinational banking institute's application on AWS infrastructure is to associate the Application Load Balancer (ALB) with AWS Global Accelerator. Option D and Option F are the correct choices.