Question 594 of 1,746
Design for New SolutionshardMultiple SelectObjective-mapped

Quick Answer

The answer is to configure the ALB to use an HTTPS listener for client connections, create a security group rule on the EC2 instances that references the ALB’s security group as the source, and enable HTTPS on the target group to encrypt traffic between the ALB and EC2 instances. This ensures end-to-end encryption by using TLS termination at the ALB for client-facing traffic and then re-encrypting the traffic sent to the backend instances, while the security group restriction guarantees that only the ALB can reach the EC2 instances. On the AWS Certified Solutions Architect Professional SAP-C02 exam, this scenario tests your understanding of security group chaining and target group encryption settings, often appearing as a multi-select question where the trap is choosing network ACLs or placing instances in public subnets. A common memory tip is “ALB as a security guard: it holds the key (HTTPS) and only lets its own badge (security group) through the door.”

SAP-C02 Design for New Solutions Practice Question

This SAP-C02 practice question tests your understanding of design for new solutions. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A company is deploying a web application on AWS. The application runs on EC2 instances behind an ALB. The security team requires that all traffic between the ALB and the EC2 instances be encrypted, and that the EC2 instances only accept traffic from the ALB. Which THREE steps should the architect take? (Choose three.)

Question 1hardmulti select
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Configure the ALB target group to use HTTPS protocol

Option A ensures encryption between ALB and instances. Option B restricts instance security group to only ALB's security group. Option D enables HTTPS listener on ALB for client-to-ALB encryption (though question asks for ALB-to-instance, but this is also needed for end-to-end encryption). Option C (public subnets) is not needed. Option E (NACL) is not the best way. Option F (same security group) is not the approach.

Key principle: Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Assign the same security group to the ALB and the instances

    Why it's wrong here

    Different security groups should be used; instances trust ALB's security group.

  • Place the EC2 instances in a public subnet

    Why it's wrong here

    Instances should be in private subnets for security.

  • Configure the ALB target group to use HTTPS protocol

    Why this is correct

    Encrypts traffic between ALB and instances.

    Related concept

    CIDR notation defines the prefix length.

  • Configure the EC2 instance security group to allow inbound traffic only from the ALB's security group

    Why this is correct

    Restricts access to only the ALB.

    Related concept

    CIDR notation defines the prefix length.

  • Use network ACLs to restrict inbound traffic to the ALB's IP addresses

    Why it's wrong here

    ALB IPs can change; security group is better.

  • Configure the ALB to listen on HTTPS for client connections

    Why this is correct

    Provides end-to-end encryption from client to instance.

    Related concept

    CIDR notation defines the prefix length.

Common exam traps

Common exam trap: usable hosts are not the same as total addresses

Subnetting questions often tempt you into counting all addresses. In normal IPv4 subnets, the network and broadcast addresses are not usable host addresses.

Detailed technical explanation

How to think about this question

Subnetting questions test whether you can identify the network, broadcast address, usable range, mask and correct subnet. Slow down enough to calculate the block size correctly.

KKey Concepts to Remember

  • CIDR notation defines the prefix length.
  • Block size helps identify subnet boundaries.
  • Network and broadcast addresses are not usable hosts in normal IPv4 subnets.
  • The required host count determines the smallest suitable subnet.

TExam Day Tips

  • Write the block size before choosing the subnet.
  • Check whether the question asks for hosts, subnets or a specific address range.
  • Do not confuse /24, /25, /26 and /27 host counts.

Key takeaway

Count usable hosts — not total addresses — and remember that the network and broadcast addresses are not available to hosts in standard IPv4 subnets.

Real-world example

How this comes up in practice

A healthcare organisation deploys an application with a public-facing web tier and a private database tier. The database subnet has no public IP and only accepts connections from the web tier's security group. Questions like this test whether you can design cloud network isolation using VNets/VPCs, subnets, and security group rules.

What to study next

Got this wrong? Here's your next step.

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related SAP-C02 subnetting questions on CIDR, address ranges, and subnet selection.

Related practice questions

Related SAP-C02 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SAP-C02 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SAP-C02 question test?

Design for New Solutions — This question tests Design for New Solutions — CIDR notation defines the prefix length..

What is the correct answer to this question?

The correct answer is: Configure the ALB target group to use HTTPS protocol — Option A ensures encryption between ALB and instances. Option B restricts instance security group to only ALB's security group. Option D enables HTTPS listener on ALB for client-to-ALB encryption (though question asks for ALB-to-instance, but this is also needed for end-to-end encryption). Option C (public subnets) is not needed. Option E (NACL) is not the best way. Option F (same security group) is not the approach.

What should I do if I get this SAP-C02 question wrong?

Review block sizes, usable host formulas (2^n − 2), and how to find network and broadcast addresses for /24 through /30. Then practise related SAP-C02 subnetting questions on CIDR, address ranges, and subnet selection.

What is the key concept behind this question?

CIDR notation defines the prefix length.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on SAP-C02

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. A company is designing a new web application that will be deployed on AWS. The application consists of an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances running a web server. The application must be highly available across multiple Availability Zones. The company expects variable traffic patterns, including sudden spikes. The operations team wants to minimize manual intervention. The application stores session state in a shared data store. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. The company is using AWS Certificate Manager (ACM) to manage SSL/TLS certificates. The ALB must terminate SSL/TLS connections. Which combination of actions should the company take to meet these requirements?

easy
  • A.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS on port 443 using the same ACM certificate. Configure health checks on the target group to use HTTP on port 80 with path /health.
  • B.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTP health checks on port 80.
  • C.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS on port 443 using a self-signed certificate. Configure health checks to use HTTPS on port 443.
  • D.Configure the ALB with an HTTPS listener using an ACM certificate. Configure the target group with HTTPS health checks on port 443 using a separate ACM certificate.

Why A: Option A is correct because it meets all requirements: the ALB terminates SSL/TLS using an ACM certificate on an HTTPS listener, encrypts traffic between ALB and EC2 instances by using HTTPS on the target group with the same ACM certificate (mutual TLS is not required; the ALB re-encrypts using the same certificate), and uses HTTP health checks on port 80 to avoid certificate validation issues during health checks. This ensures end-to-end encryption, high availability across multiple AZs, and minimizes manual intervention by automating certificate management with ACM.

Last reviewed: Jun 20, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SAP-C02 practice question is part of Courseiva's free Amazon Web Services certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SAP-C02 exam.