Question 12
Domain 4: Accelerate Workload Migration and ModernizationA company is deploying a third-party firewall appliance solution from AWS Marketplace to monitor and protect traffic that leaves the company's AWS environments. The company wants to deploy this appliance into a shared services VPC and route all outbound internet-bound traffic through the appliances. A solutions architect needs to recommend a deployment method that prioritizes reliability and minimizes failover time between firewall appliances within a single AWS Region. The company has set up routing from the shared services VPC to other VPCs. Which steps should the solutions architect recommend to meet these requirements? (Select THREE.)
Correct answer: D
Explanation
Use a Gateway Load Balancer to place the AWS Marketplace firewall appliances behind a single endpoint service and distribute traffic across multiple appliances in the shared services VPC. AWS says Gateway Load Balancer is designed to “deploy, scale, and manage third-party virtual appliances” and provides “high availability” with “transparent scaling” and fast failover within a Region. Routing outbound traffic through the GWLB endpoint meets the centralized inspection requirement while minimizing failover time.
Why each option is right or wrong
A. Create a VPC Gateway Load Balancer endpoint. Add a route to the route table in the shared services VPC. Designate the new endpoint as the next hop for traffic that enters the shared services VPC from other VPCs.
Creates the traffic entry point only; it does not provide the firewall fleet or load-balancing layer.
B. Deploy two firewall appliances into the shared services VPC, each in a separate Availability Zone.
Improves appliance redundancy, but alone does not steer traffic or automate distribution between appliances.
C. Create a new Gateway Load Balancer in the shared services VPC. Create a new target group, and attach it to the new Gateway Load Balancer. Add each of the firewall appliance instances to the target group.
Builds the inspection service, but without endpoint routing other VPC traffic will not traverse it.
D. All of the above
Each of the listed options is a valid answer; all are needed.