AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is to configure VPC Traffic Mirroring on the relevant ENIs and set the target to a Network Load Balancer (NLB) in the inspection VPC. VPC Traffic Mirroring is designed to copy network traffic from an Elastic Network Interface (ENI) and forward it to a target for out-of-band inspection. This is the ideal solution for an Intrusion Detection System (IDS), which passively analyzes traffic without being in the direct path. Using a Network Load Balancer as the target allows the mirrored traffic to be distributed across a fleet of IDS appliances, ensuring scalability and high availability. This approach has minimal performance impact because it duplicates the traffic rather than routing it through the appliances, avoiding any added latency or a potential single point of failure in the production traffic path.

• Incorrect: Enabling VPC Flow Logs is incorrect because Flow Logs capture metadata about IP traffic (e.g., source/destination IPs, ports, protocol) but do not capture the actual packet payloads. Deep packet inspection (DPI) requires analyzing the full packet content, which is not available in Flow Logs.
• Incorrect: Deploying AWS Network Firewall is incorrect because the requirement is to use a specific fleet of third-party IDS appliances. AWS Network Firewall is a managed AWS service and would not fulfill this explicit requirement.
• Incorrect: Using a Gateway Load Balancer (GWLB) in an in-line configuration is incorrect for this use case. A GWLB is designed to transparently insert appliances into the traffic path for in-line inspection, which is typical for an Intrusion Prevention System (IPS). Since the requirement is for a passive IDS, routing all traffic through the appliances would add unnecessary latency and complexity. The more appropriate and less impactful solution is to copy the traffic using Traffic Mirroring.