PAS-C01 · Question #132
A company is planning to move all its SAP applications to Amazon EC2 instances in a VPC. Recently, the company signed a multiyear contract with a payroll software-as-a-service (SaaS) provider. Integra
The correct answer is D. Add an AWS Network Firewall firewall to the VPC. Add an outbound rule to allow the SAP PO. The requirement is FQDN-based outbound traffic filtering - allowing traffic only to specific domain names, not IP addresses - because the SaaS provider does not publish stable IPs. Why D (AWS Network Firewall) is correct: AWS Network Firewall supports stateful domain list rules t
Question
A company is planning to move all its SAP applications to Amazon EC2 instances in a VPC. Recently, the company signed a multiyear contract with a payroll software-as-a-service (SaaS) provider. Integration with the payroll SaaS solution is available only through public web APIs. Corporate security guidelines state that all outbound traffic must be validated against an allow list. The payroll SaaS provider provides only fully qualified domain name (FQDN) addresses and no IP addresses or IP address ranges. Currently, an on-premises firewall appliance filters FQDNs. The company needs to connect an SAP Process Orchestration (SAP PO) system to the payroll SaaS provider. What must the company do on AWS to meet these requirements?
Options
- AAdd an outbound rule to the security group of the SAP PO system to allow the FQDN of the payroll
- BAdd an outbound rule to the network ACL of the subnet that contains the SAP PO system to allow
- CAdd an AWS WAF web ACL to the VPAdd an outbound rule to allow the SAP PO system to
- DAdd an AWS Network Firewall firewall to the VPC. Add an outbound rule to allow the SAP PO
How the community answered
(46 responses)- A2% (1)
- B4% (2)
- C11% (5)
- D83% (38)
Explanation
The requirement is FQDN-based outbound traffic filtering - allowing traffic only to specific domain names, not IP addresses - because the SaaS provider does not publish stable IPs.
Why D (AWS Network Firewall) is correct: AWS Network Firewall supports stateful domain list rules that filter outbound traffic by FQDN. You can create an allow-list rule that permits SAP PO to reach the payroll SaaS domain while blocking everything else. This mirrors the on-premises firewall appliance behavior and satisfies the corporate security policy.
Why the others are wrong:
- A (Security group outbound rule): Security groups only accept IP addresses and CIDR ranges as rule targets - FQDNs are not supported. The rule simply cannot be created.
- B (Network ACL outbound rule): Same limitation as security groups. Network ACLs are IP/CIDR-based only and do not resolve or match FQDNs.
- C (AWS WAF web ACL): AWS WAF is designed to filter inbound HTTP/HTTPS requests to protect web applications (e.g., behind an ALB or CloudFront). It is not a tool for filtering outbound traffic from EC2 instances to external APIs.
Topics
Community Discussion
No community discussion yet for this question.