While preparing for the AWS SAA-C03, many candidates get confused by load balancer configuration options and traffic redirection mechanisms. In the real world, this is fundamentally a decision about security enforcement vs. operational simplicity. Let’s drill into a simulated scenario.
The Scenario #
GlobalRetail Inc., an e-commerce platform, hosts their customer-facing website on AWS behind an Application Load Balancer (ALB). The ALB currently accepts both HTTP (port 80) and HTTPS (port 443) traffic to accommodate legacy bookmarks and unencrypted requests. The security team has mandated that all customer traffic must use encrypted HTTPS connections to comply with PCI-DSS requirements and protect customer data in transit.
The infrastructure team needs to implement a solution that:
- Ensures all HTTP requests are automatically upgraded to HTTPS
- Maintains a seamless user experience with minimal latency
- Requires no changes to backend application code
- Follows AWS best practices for cost-effectiveness
Key Requirements #
Enforce HTTPS-only traffic for all website visitors while maintaining service availability and minimizing operational overhead.
The Options #
- A) Update the ALB’s network ACL to only accept HTTPS traffic and block all HTTP requests
- B) Create a URL rewrite rule that replaces “HTTP” with “HTTPS” in the request path
- C) Configure a listener rule on the ALB to redirect HTTP traffic (port 80) to HTTPS (port 443)
- D) Replace the Application Load Balancer with a Network Load Balancer configured to use Server Name Indication (SNI)
Correct Answer #
Option C.
Step-by-Step Winning Logic #
Application Load Balancers provide native HTTP-to-HTTPS redirect capabilities through listener rules—a purpose-built feature for exactly this security requirement. Here’s why this is the optimal solution:
Technical Correctness:
- ALB listener rules operate at Layer 7 (Application Layer), understanding HTTP protocols and able to issue proper 301/302 redirect responses
- The redirect action returns an HTTP 301 (permanent) or 302 (temporary) status code to the client’s browser, instructing it to retry the request using HTTPS
- This preserves the full request path, query strings, and maintains session context
Operational Simplicity:
- Configuration takes 2-3 minutes via AWS Console, CLI, or Infrastructure-as-Code
- No code changes required in backend applications
- Zero downtime implementation—add the rule while traffic flows
Cost Efficiency:
- Redirect rules are included in standard ALB pricing ($0.0225/hour + $0.008/LCU)
- No additional resources, services, or compute costs
- Eliminates the need for custom proxy layers or application-level redirects
Security Benefits:
- Ensures 100% of traffic uses TLS encryption from client to ALB
- Meets compliance requirements (PCI-DSS, HIPAA, SOC 2) for data-in-transit protection
- Prevents protocol downgrade attacks
đź’Ž The Architect’s Deep Dive: Why Options Fail #
The Traps (Distractor Analysis) #
Why not Option A (Network ACL modification)?
- Fatal flaw: Network ACLs operate at Layer 4 (Network/Transport Layer) and can only ALLOW or DENY traffic—they cannot redirect or modify packets
- Blocking HTTP traffic would result in connection failures for users attempting to access
http://URLs rather than gracefully upgrading them to HTTPS - This creates a poor user experience—users would see “connection refused” errors instead of seamless redirects
- Exam trap keyword: “Network ACL” in a question about HTTP protocol handling should immediately raise red flags—ACLs don’t understand application protocols
Why not Option B (URL rewrite rule)?
- Conceptual confusion: URL rewriting modifies the path component of a URL (e.g.,
/old-page→/new-page), not the protocol scheme (http:// vs. https://) - This doesn’t change the transport layer from unencrypted to encrypted—it would still use HTTP if that’s what the client requested
- No AWS service provides this specific functionality as described—it’s technically nonsensical
- Exam trap indicator: Vague, non-standard AWS terminology like “create a rule to replace HTTP with HTTPS in the URL” suggests a distractor
Why not Option D (Replace ALB with NLB + SNI)?
- Massive over-engineering: Network Load Balancers operate at Layer 4 and cannot perform HTTP-to-HTTPS redirects at all—they forward TCP packets without inspecting application-layer protocols
- SNI (Server Name Indication) is a TLS extension for multi-domain certificate hosting, completely unrelated to HTTP redirection
- This solution would cost 10-20 hours of migration effort (updating target groups, DNS, security groups) and introduce unnecessary downtime risk
- FinOps disaster: You’d pay similar LB costs but lose Layer 7 capabilities (path-based routing, host-based routing, WAF integration)
- Exam trap pattern: Combining two advanced features (NLB + SNI) that sound impressive but are irrelevant to the actual requirement
The Architect Blueprint #
graph TD
User([End User Browser]) -->|HTTP Request :80| ALB[Application Load Balancer]
User2([End User Browser]) -->|HTTPS Request :443| ALB
ALB -->|Listener Rule Check| Rule{Is Protocol HTTP?}
Rule -->|Yes| Redirect[Return HTTP 301 Redirect
Location: https://domain.com]
Rule -->|No HTTPS Traffic| TLS[TLS Termination]
Redirect -.->|Browser Retries| User
User -.->|New HTTPS Request| ALB
TLS --> TargetGroup[Target Group
EC2 Instances]
TargetGroup --> App[Application Servers
HTTP :8080]
style ALB fill:#FF9900,stroke:#232F3E,stroke-width:3px,color:#fff
style Redirect fill:#3F8624,stroke:#232F3E,stroke-width:2px,color:#fff
style TLS fill:#527FFF,stroke:#232F3E,stroke-width:2px,color:#fff
style Rule fill:#D13212,stroke:#232F3E,stroke-width:2px,color:#fff
Diagram Note: The ALB evaluates incoming requests; HTTP traffic triggers a 301 redirect response instructing the browser to retry with HTTPS, while HTTPS traffic proceeds directly through TLS termination to backend targets.
Real-World Practitioner Insight #
Exam Rule #
“For the AWS SAA-C03 exam, when you see ‘redirect HTTP to HTTPS’ combined with Application Load Balancer, immediately select the option involving listener rules. ALB is the only AWS load balancer type with native Layer 7 redirect capabilities.”
Key exam patterns to recognize:
- âś… ALB + HTTP/HTTPS + “redirect” → Listener Rules
- ❌ Network ACL + “redirect” → Impossible (Layer 4 limitation)
- ❌ NLB + HTTP redirect → Wrong LB type (no Layer 7 features)
- ❌ “Replace” existing working infrastructure → Usually over-engineering
Real World #
In production environments at scale, we enhance this basic redirect pattern with additional considerations:
1. HSTS Headers (HTTP Strict Transport Security):
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload- After the redirect, configure your application servers to return HSTS headers
- This tells browsers to automatically use HTTPS for future requests for 1 year
- Prevents even the initial HTTP request after the first visit
2. CloudFront Integration:
- Place Amazon CloudFront in front of the ALB for global performance
- Configure CloudFront to reject HTTP requests at the edge (closer to users)
- Use CloudFront’s “Viewer Protocol Policy: Redirect HTTP to HTTPS” for faster redirects
- Cost impact: Adds ~$0.085/GB (first 10TB) but reduces ALB data transfer costs and improves latency
3. Certificate Management:
- Use AWS Certificate Manager (ACM) for free SSL/TLS certificates
- Enable automatic renewal to avoid outages
- For multi-region deployments, certificate replication becomes critical
4. Monitoring Considerations:
CloudWatch Metrics to Track:
- HTTPCode_ELB_3XX_Count (should spike initially, then decline as HSTS takes effect)
- TargetResponseTime (HTTPS adds ~20-50ms for TLS handshake)
- ActiveConnectionCount (validate no impact during implementation)5. Enterprise Reality Check:
- In organizations with legacy integrations (IoT devices, older APIs), you might need to maintain HTTP listeners for specific paths using path-based routing exceptions
- Example:
/api/v1/legacy/*stays on HTTP while/redirects to HTTPS - This violates security best practices but may be a temporary business necessity—document with sunset dates
When HTTP might legitimately remain (rare cases):
- Internal-only ALBs in private subnets where TLS overhead isn’t justified
- Health check endpoints for monitoring systems that don’t support HTTPS
- Cost-sensitive development environments (though this is poor practice)
The exam tests the ideal solution; production requires balancing ideals with organizational constraints.