Implementing Traffic Control for EC2 and Transit Gateway Connectivity

Control Approach for Traffic Management

Prev Question Next Question

Question

Your company uses an AWS Transit Gateway as a hub to manage the interconnections between multiple VPCs and the on-premises networks.

The security team asks you to implement a control that can allow or block the traffic between the EC2 network interface workload and the Transit Gateway.

Which of the following approaches would you select?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D.

Option A is incorrect because the IAM role in EC2 instances provisions permissions for EC2 applications.

It does not control the network traffic between the EC2 network interface workload and the Transit Gateway.

Option B is incorrect because security groups cannot be applied to either the EC2 network interface workload or the Transit Gateway.

For the access control methods of Transit Gateway, please check the following references.

Option C is incorrect because Transit Gateway route tables are used to configure routing for Transit Gateway attachments.

They do not act as a security layer to allow or block traffic.

Option D is CORRECT because the inbound and outbound NACL rules applied in the subnets can act as a firewall and control traffic in and out of the Transit Gateway.

References:

https://docs.aws.amazon.com/vpc/latest/tgw/tgw-nacls.html https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-authentication-access-control.html

To implement a control that allows or blocks the traffic between the EC2 network interface workload and the Transit Gateway, the most appropriate approach would be to associate security groups to the EC2 instance network interface and the Transit Gateway.

Option A: Attaching IAM roles with the AWSNetworkManagerServiceRolePolicy policy is not the right approach because this policy is used to manage network resources and monitor the network, and it does not provide control over the traffic.

Option B: Associate security groups to the EC2 instance network interface and the Transit Gateway to control the traffic. A security group acts as a virtual firewall that controls the traffic to an instance. When an EC2 instance is launched, it can be associated with one or more security groups. Security groups can be applied to a network interface, and rules can be added to the security group to allow or block traffic based on source and destination. In this scenario, we can create a security group for the Transit Gateway and another for the EC2 instance network interface. We can then add the necessary rules to the security groups to allow or block traffic between them.

Option C: Creating route tables in the AWS Transit Gateway to allow or disallow traffic from the EC2 workload is not the right approach because route tables control how traffic is routed between VPCs and on-premises networks, and they do not provide control over the traffic itself.

Option D: Applying NACL rules between EC2 instances in the subnets and Transit Gateway associations to control the traffic is not the right approach because NACL rules control traffic at the subnet level and do not provide control over traffic between an EC2 instance network interface and the Transit Gateway.

In conclusion, option B - associating security groups to the EC2 instance network interface and the Transit Gateway to control the traffic - is the most appropriate approach to implement the required control.