You are designing an SSL/TLS solution that requires HTTPS clients to be authenticated by the Web server using client certificate authentication. The solution must be resilient. Which of the following options would you consider for configuring the web server infrastructure? Choose 2 answers from the options below

Answer options:

A.Configure ELB with TCP listeners on TCP/443. And place the Web servers behind it.
B.Configure your Web servers with EIPs. Place the Web servers in a Route53 Record Set and configure health checks against all Web servers.
C.Configure ELB with HTTPS listeners, and place the Web servers behind it.
D.Configure your web servers as the origins for a CloudFront distribution. Use custom SSL certificates on your CloudFront distribution.

Answer - A and B
The AWS Documentation mentions the following
You can create a load balancer that uses the SSL/TLS protocol for encrypted connections (also known as SSL offload). This feature enables traffic encryption between your load balancer and the clients that initiate HTTPS sessions, and for connections between your load balancer and your EC2 instances.
Amazon CloudFront is a global content delivery network (CDN) service that accelerates delivery of your websites, APIs, video content or other web assets. It integrates with other Amazon Web Services products to give developers and businesses an easy way to accelerate content to end users with no minimum usage commitments.
Currently, ELBs cannot support authentication for the client side. SSL/TLS certificate is required for two-way SSL authentication to succeed.
The second way is to configure the webservers with Elastic IP address and have the web servers act as the endpoint for the traffic. Let Route53 DNS server send requests to these webservers in a round-robin fashion.
For more information on AWS ELB listeners, please visit the below URL:
http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-https-load-balancers.html
For more information on Cloudfront, please visit the below URL:
https://aws.amazon.com/cloudfront/
Option C is incorrect. The question is asking for a resilient solution. Therefore configuring Rourte53 record set and the corresponding health checks would be the correct answer instead of directly placing the web servers behind the ELB.Option D is incorrect. CloudFront does not support client authentication with client-side SSL certificates. If an origin requests a client-side certificate, CloudFront drops the request.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#RequestCustomClientSideSslAuth
You can use API Gateway to generate an SSL certificate and use its public key in the backend to verify that HTTP requests to your backend system are from API Gateway. This allows your HTTP backend to control and accept only requests originating from Amazon API Gateway, even if the backend is publicly accessible.
https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html
An ELB Classic Load Balancer cannot validate a client side certificate, so it must be passed through as standard TCP on port 443 to let the EC2 instance handle the validation.
?
Proxy Protocol is an Internet protocol used to carry connection information from the source requesting the connection to the destination for which the connection was requested.By default, when you use Transmission Control Protocol (TCP) for both front-end and back-end connections, your Classic Load Balancer forwards requests to the instances without modifying the request headers. So in this configuration Client side certificate can be used for authentication by the back end server.
So
Option A seems to be correct.