Examice

Exam ANS-C01 All QuestionsBrowse all questions from this exam

Question 1

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.

Which solution will meet these requirements?

Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods.

Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods.

Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group.

Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group.

Correct Answer: D

The service requires encryption in transit without decryption between the client and the backend. This can be achieved by using a Network Load Balancer (NLB) which operates at the transport layer (Layer 4), supporting TCP. By using a TLS listener on port 443, the traffic remains encrypted end-to-end. Mutual TLS (mTLS) can be implemented using NLB as it does not terminate the TLS connection, ensuring secure and continuous encryption. Therefore, the correct solution is to use a Network Load Balancer with a TLS listener to forward traffic to the backend service.

Discussion

Amazon_Dumps_comOption: B

B is valid answer ( BBB)

a724412639

A: ALB does support HTTP/2 and gRPC workloads. However, the title mentions that the company needs to use mutual TLS for mutual authentication between the client and the backend. This means that traffic cannot be decrypted between the client and the service backend. Since the ALB will terminate the TLS connection and decrypt the traffic, it does not meet the requirements in the title. In contrast, NLB can forward TCP traffic without decrypting the traffic, so it is more suitable for meeting the needs described in the title. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-mutual-tls-authentication-for-applications-running-on-amazon-eks.html

a724412639

After consideration, I choose B, only ALB supports the gRPC protocol, and the NGINX ingress controller can be used to configure mutual TLS authentication

titi_r

Why NLB couldn't forward (layer 4) gRPC traffic to the backend EC2s? 1. The article below says "Traffic is forwarded in PLAINETXT to the gRPC server because it comes from a virtual private cloud (VPC)." https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it-with-an-application-load-balancer.html 2. The diagram from your link shows NLB, not ALB: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-mutual-tls-authentication-for-applications-running-on-amazon-eks.html

mtestuser

Why NLB couldn't forward (layer 4) gRPC traffic to the backend EC2s?

maxryan5335Option: A

A is correct ( t.ly/AWSCertifiedAdvancedNetworkingSpecialty )

dim912Option: A

AAAAAAA

43c89f4

consider of 3 points 1. gRPC protocol 2. thousands of connections 3. Mutula TLS above 3 points supports ALB not NLB. hence answer would be B

tromyunpak

now both A and B are correct before MTLS was only supported by NLB but last reinvent mtls is now supported on ALB also

ksdpmxOption: B

gRPC is not supported by NLB natively til now (2024/6)

RaphaelloOption: B

Correct answer is B. ALB support gRPC, not NLB. AWS Load Balancer Controller manage ALB for K8s cluster. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it-with-an-application-load-balancer.html

JoellaLi

I asked the 'Amazon Q'. And it said B is correct...

vikasj1inOption: B

The AWS Load Balancer Controller for Kubernetes enables the configuration of AWS load balancers directly from Kubernetes resources. An Application Load Balancer (ALB) with an HTTPS listener on port 443 allows for secure communication over the gRPC protocol. With mutual TLS authentication, both the client and the backend server present certificates to each other, ensuring the identity of both parties. Configuring the ALB with HTTPS ensures that traffic between the client and the backend is encrypted in transit without decryption between them. By using the AWS Load Balancer Controller, the ALB can dynamically scale to handle thousands of simultaneous connections, working seamlessly with the Kubernetes Cluster Autoscaler and Horizontal Pod Autoscaler configurations.

tromyunpak

B it is now true since Mtls is supported by the ALB

KienCTOption: A

I TINK A

ExamFrontier

FYI. There are many new questions in the exam taken in June.

xTrayusxOption: B

Using an Application Load Balancer (ALB) with an HTTPS listener on port 443 ensures encryption of traffic in transit.

Marfee400704

I think that it's correct answer is B according to SPOTO products.

marfee

I think that it's correcty answer is A.

AnakBellevue

I passed the test , almost all of questions from this practise, except couple. Get score 884