Question 13 on Review Mode Set 1 – Outbound ICMP deny in flow log

[ben-saito]

<div>

A company has several EC2 instances in its VPC that are publicly accessible from the Internet. A Network Engineer issued a ping command from his home computer with an IP address of 203.0.113.12 to an EC2 instance with a private IP address of 172.31.16.139 and a public address of 52.181.132.48. However, there was no ping response. The VPC Flow Logs have the following records:

2 123456789010 eni-1235b8ca123456789 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca123456789 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK

</div>

Answer:

“The Network ACL’s outbound rules do not allow ICMP traffic”

The output shows a “DENY” entry from the vpc flow logs, but you wouldn’t see a deny in vpc flow logs for a NACL rule, would you? In my experience, if a NACL is dropping a packet you won’t see that in vpc flow logs, which would make sense because it’s done at a subnet level and not an ENI level like vpc flow logs. Without the vpc flow log snippet I think the answer makes sense. The flow log confuses it though in my opinion.