You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database.
Your web application should only accept traffic from predefined customer IP addresses.
Which two options meet this security requirement? Choose 2 answers.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and B.
The Web servers security group can help ensure that the requests come from the customer's IP via Rules in the security group.
The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer.
Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer.
To see the IP address of the client, use the X-Forwarded-For request header.
For more information on X-Forwarded-For request , please refer to the link:
http://docs.aws.amazon.com/es_es/elasticloadbalancing/latest/classic/x-forwarded-headers.htmlThe security requirement in this scenario is to restrict access to the web application to only a set of predefined customer IP addresses. To achieve this, we can use the following two options:
A. Configure ELB security group to allow traffic from your customer IPs: This option involves configuring the security group associated with the Elastic Load Balancer (ELB) to allow incoming traffic from the specified customer IP addresses. The ELB will then forward the traffic to the web servers, application servers, and database. This approach simplifies management by having a single security group for the ELB, rather than having to update multiple security groups for each component.
B. Configure web server security group to allow traffic from ELB: This option involves configuring the security group associated with the web servers to only allow incoming traffic from the security group associated with the ELB. The ELB is then configured to only allow incoming traffic from the specified customer IP addresses. This approach provides an additional layer of security by restricting access to the web servers only from the ELB.
Option C, to configure ELB security groups to allow traffic from customers' IPs and deny all outbound traffic, does not fully meet the security requirement of only allowing traffic from predefined customer IP addresses. It also restricts all outbound traffic, which may impact the functionality of the web application.
Option D, to configure a VPC NACL to allow web traffic from customers' IPs and deny all outbound traffic, also does not fully meet the security requirement. While it restricts outbound traffic, it does not provide a centralized approach to restrict incoming traffic to the web application.
In summary, the two options that meet the security requirement of allowing traffic from predefined customer IP addresses are A and B.