Question 590 of 1,040
Design High-Performing ArchitectureshardMultiple SelectObjective-mapped

Quick Answer

The correct answer is to register instance or IP targets so the service can receive the original client source IP for rate limiting. This works because a Network Load Balancer operates at Layer 4 and, by default, preserves the client source IP when targets are registered directly, unlike Application Load Balancers which terminate the client connection. For a custom TCP protocol that must avoid HTTP header inspection and keep per-request overhead minimal, NLB’s direct packet forwarding is ideal—it adds virtually no latency and passes the original IP untouched, enabling accurate rate limiting without protocol modification. On the SAA-C03 exam, this scenario tests your understanding of when to choose NLB over ALB or Gateway Load Balancer; a common trap is assuming you need Proxy Protocol or X-Forwarded-For headers, but NLB’s default behavior for instance targets already preserves the source IP. Memory tip: “NLB = No Layer 8” — it stays at Layer 4, so the client IP passes through without extra headers.

SAA-C03 Design High-Performing Architectures Practice Question

This SAA-C03 practice question tests your understanding of design high-performing architectures. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A latency-sensitive telemetry service uses a custom TCP protocol on EC2 instances in private subnets. The service must preserve the client source IP for rate limiting, avoid HTTP header inspection, and keep per-request overhead as low as possible. Which changes should the team make? Select three.

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use a Network Load Balancer in front of the service.

Option A is correct because a Network Load Balancer (NLB) operates at Layer 4 and preserves the client source IP by default when instances are registered as targets. This allows the telemetry service to use the original IP for rate limiting without requiring HTTP header inspection, which is critical for a custom TCP protocol. NLB also introduces minimal latency and low per-request overhead, making it ideal for latency-sensitive workloads.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Use a Network Load Balancer in front of the service.

    Why this is correct

    Correct because NLB is built for high-throughput, low-latency TCP traffic. It avoids HTTP-layer processing and is the right load balancer for a custom binary protocol.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use a TCP or TLS listener rather than an HTTP listener.

    Why this is correct

    Correct because the application is not speaking HTTP and does not need layer-7 routing. A TCP or TLS listener matches the protocol and keeps the data path lightweight.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Register instance or IP targets so the service can receive the original client source IP for rate limiting.

    Why this is correct

    Correct because NLB preserves source IP for instance and IP targets. That lets the backend enforce rate limits based on the actual caller rather than a proxy address.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Use an Application Load Balancer because path-based routing improves throughput for binary protocols.

    Why it's wrong here

    Incorrect because ALB is an HTTP/HTTPS layer-7 load balancer. Its routing features do not help a custom TCP protocol and add unnecessary protocol overhead.

  • Expose the service through API Gateway because it supports raw TCP and UDP pass-through.

    Why it's wrong here

    Incorrect because API Gateway is for API protocols such as HTTP and WebSocket, not raw TCP or UDP pass-through. It is not the right fit for a custom binary telemetry stream.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may assume an Application Load Balancer is always better for routing logic, but for non-HTTP protocols and latency-sensitive workloads, the Network Load Balancer is the correct choice because it operates at Layer 4 without protocol inspection.

Detailed technical explanation

How to think about this question

NLB uses flow hash routing based on the 5-tuple (source IP, source port, destination IP, destination port, protocol) to maintain session affinity without inspecting application payloads. When using instance targets, the NLB preserves the client source IP by not performing NAT on the source address, which is essential for rate-limiting logic that relies on the original IP. In contrast, IP targets require enabling proxy protocol to preserve the client IP, but instance targets avoid this overhead.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related SAA-C03 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAA-C03 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAA-C03 question test?

Design High-Performing Architectures — This question tests Design High-Performing Architectures — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Use a Network Load Balancer in front of the service. — Option A is correct because a Network Load Balancer (NLB) operates at Layer 4 and preserves the client source IP by default when instances are registered as targets. This allows the telemetry service to use the original IP for rate limiting without requiring HTTP header inspection, which is critical for a custom TCP protocol. NLB also introduces minimal latency and low per-request overhead, making it ideal for latency-sensitive workloads.

What should I do if I get this SAA-C03 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SAA-C03 practice questions

Last reviewed: Jun 11, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAA-C03 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAA-C03 exam.