MemberNovember 28, 2020 at 10:10 am
A financial company is launching an online web portal that will be hosted in an Auto Scaling group of Amazon EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). To allow HTTP and HTTPS traffic, the SysOps Administrator configured the Network ACL and the Security Group of both the ALB and EC2 instances to allow inbound traffic on ports 80 and 443. The EC2 cluster also connects to a third-party API that provides additional information on the site. However, the online portal is still unreachable over the public Internet after the deployment.
How can the Administrator fix this issue? (Select TWO.)
If EC2 instances are behind ALB, Should it not be?
Allow request/response on ALB on 80 and 443. This is a security group
Between say ALB and Web Server that is hosted on EC2 instances on a private subnet, will it not be allow traffic both inbound and outbound on ACL on ephemeral ports 1024 – 65535
What I don’t understand is, why you did not choose, given the choices
In the Network ACL, add a new rule to allow inbound traffic on ports 1024 – 65535 and instead chose In the Network ACL, add a new rule to allow outbound traffic on port 80 and port 443.
Please advise. I am missing something here. Thanks in advance for the great notes and preparation
- This discussion was modified 3 months ago by gopalakrishna-bhat.
MemberDecember 2, 2020 at 11:46 am
Thanks for your feedback.
In this scenario, the group of EC2 instances is acting as both a web server and a client. The server is listening on ports 80 and 443 as mentioned in the question (Both NACL and Security Group are configured to allow inbound traffic on ports 80 & 443.)
Unlike Security Groups, NACLs are stateless — inbound rules are not automatically applied to the outbound rules. To enable the connection to a service running on an instance, the associated network ACL must allow the inbound traffic on the port that the service is listening on and allow outbound traffic from ephemeral ports. Whenever a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client’s source port.
Since the webserver is also acting as a client, as it makes requests to a web server somewhere on the pubic internet, Ports 80 and 443 must also be applied on the outbound rule.
Carlo @ Tutorials Dojo
Log in to reply.