AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer identifies the fundamental networking challenge with inspecting east-west traffic for Fargate tasks. Fargate tasks are required to use the awsvpc network mode, where each task is assigned its own Elastic Network Interface (ENI) and a private IP address from the VPC's subnet. This means that when one microservice communicates with another in the same VPC, the traffic flows directly between their ENIs within the subnet. Standard VPC routing does not intercept this intra-subnet traffic, making it difficult to force it through a centralized inspection point. To solve this, an architect must implement an advanced networking pattern. Common solutions include using an AWS Transit Gateway to route traffic between different VPCs (or different subnets) to a dedicated 'inspection VPC' where the security appliances are hosted. Another modern approach involves using a service mesh that can control and redirect traffic at the application layer.

Incorrect answers are:

• Fargate tasks absolutely can and do use security groups. A security group is associated with each task's ENI, providing stateful, instance-level firewall capabilities. Stating that they cannot be assigned is factually incorrect.
• While it's true that Fargate does not support host network mode, this mode is irrelevant to the problem of inspecting traffic between separate tasks. Host mode ties a container's networking directly to the underlying host's network stack, which is a concept antithetical to the Fargate serverless model.
• An Application Load Balancer (ALB) primarily manages north-south (ingress) traffic from clients to the services. It does not typically handle direct east-west (service-to-service) communication. Even if it did, the challenge is routing the traffic for inspection, not the encryption itself.