Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Solutions Architect Professional Is this NLB question answer wrong?

  • Is this NLB question answer wrong?

  • jun-3

    Member
    January 20, 2021 at 2:04 pm

    One of the practice test questions:

    A company that manages hundreds of AWS client accounts has created a central logging service running on an Auto Scaling group of Amazon EC2 instances. The logging service receives logs from the client AWS accounts through the connectivity provided by AWS PrivateLink. The interface endpoint for this is available on each of the client AWS accounts. The EC2 instances hosting the logging service are spread on multiple subnets with a Network Load Balancer in front to spread the incoming load. Upon testing, the clients are unable to submit logs through the VPC endpoint.

    Which of the following solutions will most likely resolve the issue? (Select TWO.)

    Suggested answer are:

    – Ensure that the NACL associated with the logging service subnet allows communication to and from the NLB subnets. Ensure that the NACL associated with the NLB subnets allows communication to and from the EC2 instances subnets running the logging service.

    – Ensure that the security group attached to the EC2 instances hosting the logging service allows inbound traffic from the NLB subnet IPs.

    However looking at this aws doc:

    https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/

    For NLB:

    If your target type is an instance, add a rule to your security group to allow traffic from your load balancer and clients to the target IP.

    ———

    My understanding is we need the security group to allow both NLB subnet IP and client IPs, however the other option is marked as wrong:

    – Ensure that the security group attached to the EC2 instances hosting the logging service allows inbound traffic from the IP address block of the clients

    Looks to me it is incorrect, the answer should have all three options. Any thoughts?

  • Carlo-TutorialsDojo

    Member
    January 21, 2021 at 2:39 pm

    Hello Jun,

    Thanks for posting your question.

    So there are two “parties” involved in this scenario: client accounts and the logging service. These two parties are connected via the AWS PrivateLink. The logging service as described is a group of EC2 instances spread on different subnets behind an NLB.

    Here is the simplified architecture for this problem:

    Clients -> VPC endpoint -> NLB -> Logging Service (EC2)

    What we want is to allow traffic between NLB and EC2 but how do we do that?

    NLB is a bit tricky because it does not have a security group. Unlike ALB, we can’t reference the load balancer’s security group ID as a source in our EC2’s security group to facilitate a connection between them.

    A workaround for that is to get the NLB’s IP address and use it instead.

    Now, this option “Ensure that the security group attached to the EC2 instances hosting the logging service allows inbound traffic from the IP address block of the clients” is incorrect because it is telling us to use the IP address block of the clients instead of the NLB IP address (bypassing the NLB and VPC endpoint) and it looks something like this:

    Clients -> Logging Service (EC2)

    As you may already understand, this won’t work at all.

    I hope this helps. Let me know if you need further assistance.

    Regards,

    Carlo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now