Question 26

Domain 1: Design Solutions for Organizational Complexity

A company has multiple applications that run on Amazon EC2 instances in private subnets in a VPC. The company has deployed multiple NAT gateways in multiple Availability Zones for internet access. The company wants to block certain websites from being accessed through the NAT gateways. The company also wants to identify the internet destinations that the EC2 instances access. The company has already created VPC flow logs for the NAT gateways ' elastic network interfaces. Which solution will meet these requirements?

A. Use Amazon CloudWatch Logs Insights to query the logs and determine the internet destinations that the EC2 instances communicate with. Use AWS Network Firewall to blockthe websites. B. Use Amazon CloudWatch Logs Insights to query the logs and determine the internet destinations that the EC2 instances communicate with. Use AWS WAF to block the websites. C. Use the BytesInFromSource and BytesInFromDestination Amazon CloudWatch metrics to determine the internet destinations that the EC2 instances communicate with. Use AWS Network Firewall to block the websites. D. Use the BytesInFromSource and BytesInFromDestination Amazon CloudWatch metrics to determine the internet destinations that the EC2 instances communicate with. Use AWS WAF to block the websites.

Correct answer: A

Explanation

VPC flow logs on the NAT gateway elastic network interfaces record the source and destination traffic, so CloudWatch Logs Insights can query those logs to identify the internet destinations the EC2 instances access. AWS Network Firewall is the managed service used to "block certain websites" by filtering outbound traffic, which meets the requirement to restrict access through the NAT gateways.

Why each option is right or wrong

A. Use Amazon CloudWatch Logs Insights to query the logs and determine the internet destinations that the EC2 instances communicate with. Use AWS Network Firewall to blockthe websites.

VPC Flow Logs on the NAT gateway ENIs capture the 5-tuple traffic metadata, including the destination IPs and ports for the outbound connections, and CloudWatch Logs Insights can query those log records to identify which internet destinations are being reached. To actually prevent access to specific sites, the applicable service is AWS Network Firewall, which supports stateful domain-name filtering in firewall rules and is designed to inspect and block outbound traffic before it exits the VPC; NAT gateways themselves cannot enforce website-blocking policy.

B. Use Amazon CloudWatch Logs Insights to query the logs and determine the internet destinations that the EC2 instances communicate with. Use AWS WAF to block the websites.

AWS WAF protects web applications, not general outbound internet traffic through NAT gateways.

C. Use the BytesInFromSource and BytesInFromDestination Amazon CloudWatch metrics to determine the internet destinations that the EC2 instances communicate with. Use AWS Network Firewall to block the websites.

BytesIn metrics show traffic volume, not which destination IPs or websites instances accessed.

D. Use the BytesInFromSource and BytesInFromDestination Amazon CloudWatch metrics to determine the internet destinations that the EC2 instances communicate with. Use AWS WAF to block the websites.

CloudWatch byte metrics lack destination detail, and AWS WAF does not control NAT egress traffic.

Previous Next