ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
A two-tier web application runs on EC2 instances in two private subnets, each in a different Availability Zone. Security engineers must insert a third-party IDS virtual appliance from AWS Marketplace to inspect all outbound internet traffic. The solution must remain available if an AZ fails, require only a route-table change (no instance changes), and let the team add appliance capacity as traffic grows. Which deployment meets these goals?
Enable VPC Flow Logs for the private subnets and forward the logs to an EC2-hosted IDS appliance for offline inspection.
Deploy two IDS appliances in separate Availability Zones behind an Application Load Balancer and point each private subnet's default route (0.0.0.0/0) at the ALB.
Launch one IDS appliance in a dedicated public subnet and configure every EC2 instance to use the appliance's network interface as its default gateway.
Place multiple IDS appliance instances in each Availability Zone behind a Gateway Load Balancer, create Gateway Load Balancer endpoints in the private subnets, and set each subnet's default route to its local endpoint.
Gateway Load Balancer (GWLB) is designed to insert, scale, and manage third-party network security appliances transparently. Deploying at least two IDS instances behind a GWLB and creating Gateway Load Balancer endpoints (GWLBe) in each private subnet yields multi-AZ high availability. Pointing each subnet's default 0.0.0.0/0 route to its local GWLBe diverts all outbound traffic through the appliance fleet without any changes on the EC2 instances, and GWLB automatically load-balances traffic so capacity can be scaled horizontally. The other approaches fail: a single appliance lacks high availability; an Application Load Balancer cannot be a route-table target and only handles Layer 7 traffic; VPC Flow Logs provide post-event metadata, not inline inspection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Gateway Load Balancer (GWLB)?
Open an interactive chat with Bash
How do Gateway Load Balancer endpoints (GWLBe) work?
Open an interactive chat with Bash
Why can’t an Application Load Balancer (ALB) be used in this scenario?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .