ANS-C01 Exam QuestionsBrowse all questions from this exam
Go to Exam

ANS-C01 Exam - Question 1

A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend.

Which solution will meet these requirements?

Show Answer
Correct Answer: D

The service requires encryption in transit without decryption between the client and the backend. This can be achieved by using a Network Load Balancer (NLB) which operates at the transport layer (Layer 4), supporting TCP. By using a TLS listener on port 443, the traffic remains encrypted end-to-end. Mutual TLS (mTLS) can be implemented using NLB as it does not terminate the TLS connection, ensuring secure and continuous encryption. Therefore, the correct solution is to use a Network Load Balancer with a TLS listener to forward traffic to the backend service.

Discussion

17 comments
Sign in to comment
a724412639
Mar 18, 2023

A: ALB does support HTTP/2 and gRPC workloads. However, the title mentions that the company needs to use mutual TLS for mutual authentication between the client and the backend. This means that traffic cannot be decrypted between the client and the service backend. Since the ALB will terminate the TLS connection and decrypt the traffic, it does not meet the requirements in the title. In contrast, NLB can forward TCP traffic without decrypting the traffic, so it is more suitable for meeting the needs described in the title. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-mutual-tls-authentication-for-applications-running-on-amazon-eks.html

a724412639
Mar 20, 2023

After consideration, I choose B, only ALB supports the gRPC protocol, and the NGINX ingress controller can be used to configure mutual TLS authentication

titi_r
Mar 21, 2023

Why NLB couldn't forward (layer 4) gRPC traffic to the backend EC2s? 1. The article below says "Traffic is forwarded in PLAINETXT to the gRPC server because it comes from a virtual private cloud (VPC)." https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it-with-an-application-load-balancer.html 2. The diagram from your link shows NLB, not ALB: https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/configure-mutual-tls-authentication-for-applications-running-on-amazon-eks.html

mtestuser
Sep 7, 2023

Why NLB couldn't forward (layer 4) gRPC traffic to the backend EC2s?

Amazon_Dumps_comOption: B
Jul 18, 2024

B is valid answer ( BBB)

maxryan5335Option: A
Jul 16, 2024

A is correct ( t.ly/AWSCertifiedAdvancedNetworkingSpecialty )

tromyunpak
Mar 20, 2024

now both A and B are correct before MTLS was only supported by NLB but last reinvent mtls is now supported on ALB also

43c89f4
May 8, 2024

consider of 3 points 1. gRPC protocol 2. thousands of connections 3. Mutula TLS above 3 points supports ALB not NLB. hence answer would be B

dim912Option: A
May 17, 2024

AAAAAAA

tromyunpak
Feb 10, 2024

B it is now true since Mtls is supported by the ALB

vikasj1inOption: B
Feb 15, 2024

The AWS Load Balancer Controller for Kubernetes enables the configuration of AWS load balancers directly from Kubernetes resources. An Application Load Balancer (ALB) with an HTTPS listener on port 443 allows for secure communication over the gRPC protocol. With mutual TLS authentication, both the client and the backend server present certificates to each other, ensuring the identity of both parties. Configuring the ALB with HTTPS ensures that traffic between the client and the backend is encrypted in transit without decryption between them. By using the AWS Load Balancer Controller, the ALB can dynamically scale to handle thousands of simultaneous connections, working seamlessly with the Kubernetes Cluster Autoscaler and Horizontal Pod Autoscaler configurations.

JoellaLi
Mar 17, 2024

I asked the 'Amazon Q'. And it said B is correct...

RaphaelloOption: B
Apr 1, 2024

Correct answer is B. ALB support gRPC, not NLB. AWS Load Balancer Controller manage ALB for K8s cluster. https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it-with-an-application-load-balancer.html

ksdpmxOption: B
Jun 14, 2024

gRPC is not supported by NLB natively til now (2024/6)

AnakBellevue
Dec 20, 2023

I passed the test , almost all of questions from this practise, except couple. Get score 884

marfee
Feb 8, 2024

I think that it's correcty answer is A.

Marfee400704
Feb 13, 2024

I think that it's correct answer is B according to SPOTO products.

xTrayusxOption: B
Mar 31, 2024

Using an Application Load Balancer (ALB) with an HTTPS listener on port 443 ensures encryption of traffic in transit.

ExamFrontier
Jul 1, 2024

FYI. There are many new questions in the exam taken in June.

KienCTOption: A
Jul 8, 2024

I TINK A