Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Advanced Networking – Specialty Question 13 on Review Mode Set 1 – Outbound ICMP deny in flow log

  • Question 13 on Review Mode Set 1 – Outbound ICMP deny in flow log

  • ben-saito

    Member
    March 25, 2024 at 1:31 am

    <div>

    A company has several EC2 instances in its VPC that are publicly accessible from the Internet. A Network Engineer issued a ping command from his home computer with an IP address of 203.0.113.12 to an EC2 instance with a private IP address of 172.31.16.139 and a public address of 52.181.132.48. However, there was no ping response. The VPC Flow Logs have the following records:

    2 123456789010 eni-1235b8ca123456789 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
    2 123456789010 eni-1235b8ca123456789 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
    

    </div>

    Answer:

    “The Network ACL’s outbound rules do not allow ICMP traffic”

    The output shows a “DENY” entry from the vpc flow logs, but you wouldn’t see a deny in vpc flow logs for a NACL rule, would you? In my experience, if a NACL is dropping a packet you won’t see that in vpc flow logs, which would make sense because it’s done at a subnet level and not an ENI level like vpc flow logs. Without the vpc flow log snippet I think the answer makes sense. The flow log confuses it though in my opinion.

Viewing 1 of 1 replies

Log in to reply.

Original Post
0 of 0 posts June 2018
Now