ISC2 Systems Security Certified Practitioner (SSCP) Practice Question
Your company is migrating its on-premises two-node next-generation firewall (NGFW) cluster to AWS. Security policy mandates that all east-west traffic between private subnets in a VPC must continue to be inspected by the same vendor's firewall engine. The solution must support automatic scaling across multiple Availability Zones and minimize ongoing operational maintenance. Which approach best meets these requirements?
Deploy the vendor's virtual firewall instances as an Auto Scaling group behind an AWS Gateway Load Balancer, create Gateway Load Balancer endpoints in each private subnet, and update route tables to send inter-subnet traffic through the load balancer.
Attach AWS WAF web ACLs to the Application Load Balancer that fronts the VPC and configure rules to filter malicious traffic between subnets.
Replace the NGFW with stateless network ACLs that permit only required ports between subnets and enable VPC Flow Logs for monitoring.
Enable AWS Network Firewall in the VPC, import the vendor's signature set, and direct subnet route tables to the firewall endpoint.
Gateway Load Balancer is purpose-built to deploy, scale, and manage third-party virtual appliances such as NGFWs. By placing the vendor's firewall instances behind a Gateway Load Balancer and creating Gateway Load Balancer endpoints (GWLBe) in each protected subnet, all inter-subnet traffic is transparently redirected for inspection. The service automatically distributes traffic across healthy appliances in multiple Availability Zones, providing both elasticity and high availability with minimal operational burden.
AWS WAF attaches only to Application Load Balancers, API Gateway, or CloudFront and inspects HTTP/S traffic-insufficient for inspecting all east-west VPC traffic. AWS Network Firewall is an AWS-managed firewall, not the customer's existing vendor solution, so it fails the "same vendor" requirement. Network ACLs are stateless packet filters; while they can restrict ports, they cannot perform the deep inspection or dynamic scaling offered by the NGFW and therefore do not satisfy the stated needs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Gateway Load Balancer in AWS?
Open an interactive chat with Bash
How do Gateway Load Balancer Endpoints (GWLBe) work?
Open an interactive chat with Bash
Why can't AWS WAF or Network ACLs be used for east-west traffic inspection?
Open an interactive chat with Bash
ISC2 Systems Security Certified Practitioner (SSCP)
Systems and Application Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .