A company is designing a secure network architecture. They have a VPC with public and private subnets. EC2 instances in the private subnets need to download patches from the internet. The security team requires that all outbound traffic be inspected for malware and that access to specific domains can be blocked. Which combination of services should be used? (Select TWO)

Answer options:

Deploy a NAT Gateway in the public subnet.

Deploy an Internet Gateway in the private subnet.

Deploy AWS Network Firewall and route traffic from the private subnets through it.

Use AWS WAF to inspect the outbound traffic.

Configure Security Groups to block specific domains.

Use Amazon GuardDuty to block the traffic.

How to approach this question

Combine internet access with outbound inspection.

Full Answer

To provide internet access to private subnets, a NAT Gateway is required. To inspect that outbound traffic for malware and block domains, AWS Network Firewall must be deployed in the routing path.

Common mistakes

Thinking WAF can inspect outbound traffic.

Question 71 All questions Question 73

Practice the full AWS Solutions Architect Professional SAP-C02 Practice Exam 7

75 questions · hints · full answers · grading

More questions from this exam

Q01A global enterprise is designing a multi-region network architecture connecting 50 AWS accounts a...Hard Q02A company is migrating its hybrid network to AWS. They have two 10 Gbps AWS Direct Connect connec...Hard Q03An enterprise has 100 AWS accounts in AWS Organizations. The security team mandates that all Amaz...Medium Q04A financial company requires that all EBS volumes, S3 buckets, and RDS databases be encrypted usi...Easy Q05An enterprise is designing a disaster recovery strategy for a critical application running on Ama...Hard

View all 75 questions →