MemberApril 4, 2021 at 12:48 am
In this question:
A company hosted a web application on a Linux Amazon EC2 instance in the public subnet that uses a default network ACL. The instance uses a default security group and has an attached Elastic IP address. The network ACL has been configured to block all traffic to the instance. The Solutions Architect must allow incoming traffic on port 443 to access the application from any source.
Which combination of steps will accomplish this requirement? (Select TWO.)
Why one of the right answers is the one with ephemeral port range 32768 – 65535?
The question ask for “any source”. With that ephemeral port range applied a Windows client or Lambda could face connectivity issue.
MemberApril 5, 2021 at 11:24 am
Thanks for posting your question.
“Why one of the right answers is the one with ephemeral port range 32768 – 65535?
The question ask for “any source”. With that ephemeral port range applied a Windows client or Lambda could face connectivity issue.”
>> First off, the question requires the application (on the EC2 instance) to be accessible via HTTPS (port 443), so Windows RDP and Lambda is not of concern
Second, the ephemeral ports are used on the outbound rule and not on the inbound. An ephemeral port is a temporary port automatically assigned by the TCP/IP stack of a computer to communicate to commonly used ports (e.g., 22, 80, 443)
Say I have a server listening on port 443. If the server receives a request from a client, the server will open a new ephemeral port to respond to the client’s request. The server does not respond over the same port (443). After the communication is ended, the ephemeral port becomes available for new connections, hence the term ephemeral or temporary.
The same principle applies when you connect to an SSH server or an RDP server.
I hope this answers your question.
Carlo @ Tutorials Dojo
- This reply was modified 2 weeks, 1 day ago by Carlo-TutorialsDojo.
MemberApril 5, 2021 at 7:35 pm
Hi Carlo, thanks for your reply.
Suppose I’m using a windows client and my connection endpoint is assigned to port 5000. With the outbound rule starting from 32768 port how the response could get back to the client? Port 5000 is forbidden by the Nacl.
MemberApril 5, 2021 at 11:00 pm
In that case, you must set an inbound rule that allows requests to pass on port 5000. The range of ephemeral ports on the outbound rule remains the same. The server will listen for requests on port 5000. Once communication has been established, the server will open one of the ephemeral ports to respond to that request.
Let me know if you have any other queries.
Carlo @ Tutorials Dojo
Log in to reply.