There is one question on the quiz that looks incorrect. The question is, "You are configuring an Elastic Load Balancer for a highly secure environment, which has a strict requirement to secure all network connections end-to-end. How can you avoid exposing your data in plain text at any time? (Choose 2)" One of the "correct" answers is, "Use a Network Load Balancer and terminate SSL on the ELB, then use HTTPS to connect from the ELB to the instances" This implies that the network load balancer is operating at layer 7, which it supposedly can’t do. It looks like the answer was supposed to offer "Classic Load Balancer" in the answer, instead of "Network Load Balancer" or am I missing something? See https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-create-https-ssl-load-balancer.html.
7 Answers
Can’t remember this question. What is certain is that HTTP/HTTPS are not supported protocols for NLBs, so it looks very strange. Can you please retake the exam and copy the entire question/proposed answers ?
I tried to upload a screenshot, but I was getting some funky behavior. The exact question and answer are given in my original comment. The incorrect answer was marked as one of the two correct answers.
I took the practice exam several time before my real exam and never faced this issue. answers were correct. And I had somehow the same question on the real exam, with complication : (like each question, always badly hardened)
Here’s the question and answers. I don’t know if it’s incorrect, but it doesn’t match Faye’s video in the course:
You are configuring an Elastic Load Balancer for a highly secure environment, which has a strict requirement to secure all network connections end-to-end. How can you avoid exposing your data in plain text at any time? (Choose 2) A – Use a Network Load Balancer and terminate SSL on the ELB, then use HTTPS to connect from the ELB to the instances B – Use a Network Load Balancer with TCP pass through and configure SSL termination on your EC2 instances C – Use a Network Load Balancer and terminate SSL on the ELB, then use HTTP to connect from the ELB to the instances D – Use a Classic Load Balancer and terminate SSL on the ELB E – Use an Application Load Balancer and terminate HTTP traffic on the EC2 Instance
I just completed the quiz and don’t agree with NLB in one of the correct answers too…
I can imagine a scenario, which will work with a Network Load Balancer, since the secure environment in this Question requires "ALL" network connections to be secured. In this case you could
create a Network Load Balancer with a TLS TCP Listener
create a target group with TLS protocol
Sure, you have an TLS/SSL termination at rest (on the NLB), but encryption in transit is guaranteed.
As of January 2019, AWS supports TLS termination at a Network Load Balancer. https://aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
I do not agree that TLS termination on ELB and HTTPS to EC2 is secure. It’s basically SSL bridging which is not compliant with some regulatory requirements. End-End encryption should be encrypted whole time without any SSL stripping/offloading.
You are configuring an Elastic Load Balancer for a highly secure environment, which has a strict requirement to secure all network connections end-to-end. How can you avoid exposing your data in plain text at any time? (Choose 2)
Use a Network Load Balancer and terminate SSL on the ELB, then use HTTPS to connect from the ELB to the instances
Use a Classic Load Balancer and terminate SSL on the ELB
Use a Network Load Balancer with TCP pass through and configure SSL termination on your EC2 instances
Use an Application Load Balancer and terminate HTTP traffic on the EC2 Instance
Use a Network Load Balancer and terminate SSL on the ELB, then use HTTP to connect from the ELB to the instances
Cloud someone explain to me how there are NOT two answers to this?
You have configured a Network ACL to allow outbound access allowing all the EC2 instances in your subnet to download application updates accessed over the internet from a trusted third party using port 443. However your instances are still not able to download any updates. What could the problem be?
You need to add a rule to the Network ACL allowing inbound traffic on port 443
You need to add a rule to the Network ACL allowing inbound traffic on port 80
You need to add a rule to the Network ACL allowing inbound traffic on ephemeral ports 1024-65535
You need to add a rule to the Network ACL allowing inbound traffic on port 8080
Probably better to open a new question forum than piggy back off of a different question.
But port 443 was opened outbound in the problem statement, so you only need to open the ephemeral port inbound to complete the loop.
I agree – the quiz needs to be updated to fix this.
Correct, was also confused NLB being the right answer. Its works on Layer 4 not 7.
Thanks, I’ll take a look at that quiz question and see what is going on there!