A company is designing a new web application that will be deployed on AWS. The application consists of an Application Load Balancer (ALB) in front of an Auto Scaling group of EC2 instances running a web server. The application must be highly available across multiple Availability Zones. The company expects variable traffic patterns, including sudden spikes. The operations team wants to minimize manual intervention. The application stores session state in a shared data store. The security team requires that all traffic between the ALB and the EC2 instances be encrypted. The company is using AWS Certificate Manager (ACM) to manage SSL/TLS certificates. The ALB must terminate SSL/TLS connections. Which combination of actions should the company take to meet these requirements?
This encrypts backend traffic, uses ACM for backend (same cert), and health checks use HTTP to avoid certificate issues.
Why this answer
Option A is correct because it meets all requirements: the ALB terminates SSL/TLS using an ACM certificate on an HTTPS listener, encrypts traffic between ALB and EC2 instances by using HTTPS on the target group with the same ACM certificate (mutual TLS is not required; the ALB re-encrypts using the same certificate), and uses HTTP health checks on port 80 to avoid certificate validation issues during health checks. This ensures end-to-end encryption, high availability across multiple AZs, and minimizes manual intervention by automating certificate management with ACM.
Exam trap
The trap here is that candidates often assume health checks must use the same protocol as the target group traffic, but AWS recommends using HTTP health checks even for HTTPS target groups to avoid certificate validation failures and ensure reliable health monitoring.
How to eliminate wrong answers
Option B is wrong because it configures the target group with HTTP health checks on port 80 but does not specify HTTPS for the target group traffic, leaving traffic between the ALB and EC2 instances unencrypted, violating the security requirement. Option C is wrong because it uses a self-signed certificate for the target group HTTPS, which would cause the ALB to reject the certificate during health checks and traffic forwarding (ALB requires trusted certificates for HTTPS target groups), and health checks using HTTPS on port 443 would fail due to certificate validation issues. Option D is wrong because it uses a separate ACM certificate for the target group HTTPS health checks, which is unnecessary and introduces complexity; the same ACM certificate can be used, and health checks should use HTTP to avoid certificate validation overhead and ensure reliable health monitoring.