A Solutions Architect is designing an application that will run on Amazon ECS behind an Application Load Balancer (ALB). For security reasons, the Amazon EC2 host instances for the ECS cluster are in a private subnet.
What should be done to ensure that the incoming traffic to the host instances is from the ALB only?
A. Create network ACL rules for the private subnet to allow incoming traffic on ports 32768 through 61000 from the IP address of the ALB only.
B. Update the EC2 cluster security group to allow incoming access from the IP address of the ALB only.
C. Modify the security group used by the EC2 cluster to allow incoming traffic from the security group used by the ALB only.
D. Enable AWS WAF on the ALB and enable the ECS rule.
Correct Answer is C
Explanation: @
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-ip-address-type.html