A security architect is designing the network security for a web application hosted in a public cloud environment such as AWS. The application uses an Application Load Balancer (ALB) that distributes traffic to a fleet of web servers. The web servers must only accept traffic from the ALB, and all other inbound traffic must be blocked. The ALB itself needs to accept HTTP/HTTPS traffic from anywhere on the internet. Which of the following cloud security controls should the architect configure on the web servers' network interface to best meet this requirement, assuming the cloud provider offers both stateful and stateless network filtering options?

A stateless network ACL that allows inbound traffic from the ALB's subnet only.

Stateless network ACLs require explicit rules for both inbound and outbound traffic. This adds administrative complexity and is more prone to misconfiguration than a stateful security group. While it could work, it is not the best practice for this requirement because security groups offer a simpler, stateful solution that can reference the ALB's security group directly.

A web application firewall (WAF) that inspects all traffic for SQL injection.

A WAF inspects HTTP/HTTPS traffic at the application layer to detect and block attacks like SQL injection or cross-site scripting. It does not control network-level access or filter traffic based on source IP/security group; it is a complementary security control, not a replacement for network-layer filtering.

A host-based firewall on each web server that allows traffic from the ALB's private IP address.

A host-based firewall can be used, but it requires manual configuration on each server and does not leverage the cloud provider's built-in security group functionality. It is also harder to manage at scale compared to security groups, making it a less optimal choice for this scenario.

What does this SY0-701 question test?

CIDR notation defines the prefix length.

What is the correct answer to this question?

The correct answer is: A stateful security group that allows inbound traffic from the ALB's security group only. — A security group is a stateful virtual firewall that controls inbound and outbound traffic at the instance level. By configuring the web server's security group to allow inbound traffic only from the ALB's security group, the architect ensures that only the ALB can initiate connections to the web servers. Security groups automatically allow return traffic, so no additional rules are needed. This is the most efficient and secure approach. Network ACLs are stateless and require separate inbound and outbound rules, making them more complex to manage for this scenario. A WAF operates at the application layer and is not a network-level access control. A host-based firewall is an additional measure but does not leverage the cloud's native security group features for simplified management.

What should I do if I get this SY0-701 question wrong?

Then try more questions from the same exam bank and focus on understanding why the wrong options are tempting.