MemberNovember 30, 2023 at 3:24 am
I hope you are doing well
Could you please help me understand the answer to the following question:
A company hosts its multi-tiered web application on a fleet of Auto Scaling EC2 instances spread across two Availability Zones. The Application Load Balancer is in the public subnets and the Amazon EC2 instances are in the private subnets. After a few weeks of operations, the users are reporting that the web application is not working properly. Upon testing, the Solutions Architect found that the website is accessible and the login is successful. However, when the “find a nearby store” function is clicked on the website, the map loads only about 50% of the time when the page is refreshed. This function involves a third-party RESTful API call to a maps provider. Amazon EC2 NAT instances are used for these outbound API calls.
Which of the following options are the MOST likely reason for this failure and the recommended solution?
The answer proposed is the following and i agree with it
This error is caused by failed NAT instance in one of the public subnets. Use NAT Gateways instead of EC2 NAT instances to ensure availability and scalability
However, I don’t see why the following answers is dismissed the way it’s:
One of the subnets in the VPC has a misconfigured Network ACL that blocks outbound traffic to the third-party provider. Update the network ACL to allow this connection and configuring IAM permissions to restrict these changes in the future is incorrect. Network ACLs affect all the subnets associated with it. If there is a misconfigured rule, the other subnets will be affected too, which could result in a 100% failure of requests to the third-party provider.
In fact, there is no precision in the question of whether the network ACL is attached or not to all the subnets, we could have 2 subnets having 2 different NACLs, and one of them is causing the issue. This makes this option a potential answer too.
What do you think on your side?
Thanks in advance for your reply on this point 🙂
AdministratorDecember 2, 2023 at 2:28 am
Thanks for posting here. We highly appreciate your feedback.
I understand how the current wording of the option might lead to some confusion, suggesting it could apply to any subnet connected to the NACL. To clear up any ambiguity, I’d like to clarify that our primary focus is actually on the subnets directly involved with the web application. We’ll make sure to revise this option to more accurately reflect this specific context.
Let me know if you have further questions.
Carlo @ Tutorials Dojo
Log in to reply.