Home › Forums › AWS › AWS Certified Advanced Networking – Specialty › Question 13 on Review Mode Set 1 – Outbound ICMP deny in flow log
-
Question 13 on Review Mode Set 1 – Outbound ICMP deny in flow log
-
<div>
A company has several EC2 instances in its VPC that are publicly accessible from the Internet. A Network Engineer issued a ping command from his home computer with an IP address of
203.0.113.12
to an EC2 instance with a private IP address of172.31.16.139
and a public address of52.181.132.48
. However, there was no ping response. The VPC Flow Logs have the following records:2 123456789010 eni-1235b8ca123456789 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca123456789 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK
</div>
Answer:
“The Network ACL’s outbound rules do not allow ICMP traffic”
The output shows a “DENY” entry from the vpc flow logs, but you wouldn’t see a deny in vpc flow logs for a NACL rule, would you? In my experience, if a NACL is dropping a packet you won’t see that in vpc flow logs, which would make sense because it’s done at a subnet level and not an ENI level like vpc flow logs. Without the vpc flow log snippet I think the answer makes sense. The flow log confuses it though in my opinion.
Log in to reply.