MemberJanuary 18, 2023 at 4:41 am
Hi – A quick clarification on this question . the EC2 instances are initiating traffic to external APIs which means that the EC2 source range will be ephemeral ports and they will reach out to well known ports (in this case 80 and 443). And the inbound will be ephemeral ports. If this is correct why is the correct option is option 3 in the list below? or have I understood the question wrong or my understanding – the port range in the outbound rules is the destination ports to the API right and not the other way round.
A financial company is launching an online web portal that will be hosted in an Auto Scaling group of Amazon EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). To allow HTTP and HTTPS traffic, the SysOps Administrator configured the Network ACL and the Security Group of both the ALB and EC2 instances to allow inbound traffic on ports 80 and 443. The EC2 cluster also connects to a third-party API that provides additional information on the site. However, the online portal is still unreachable over the public internet after the deployment.
How can the Administrator fix this issue?
- In the Security Group, add a new rule to allow outbound traffic on port 80 and port 443.
- Allow ephemeral ports in the Security Group by adding a new rule to allow outbound traffic on ports 1024 – 65535
- Allow ephemeral ports in the Network ACL by adding a new rule to allow outbound traffic on ports 1024 – 65535
- In the Network ACL, add a new rule to allow inbound traffic on ports 1024 – 65535
AdministratorJanuary 19, 2023 at 3:15 am
Thanks for your feedback.
You’re understanding is partially correct. In the scenario, the group of EC2 instances is both acting as a server and a client. For the instances to call APIs, the NACL inbound-outbound configuration should be reversed, meaning ephemeral ports must be set in the inbound and 80,443 in the outbound. However, in the scenario, the instances are “failing as a server” since its clients were not able to access it over the internet, hence the correct answer.
I understand it can be confusing. We’ll clarify the requirements better.
Let me know if this helps.
Carlo @ Tutorials Dojo
MemberJanuary 20, 2023 at 9:05 pm
Thanks for your response Carlo.
Maybe a better idea to reword the question – because in the scenario you present in your explanation, the ephemeral ports will need to be open both inbound and outbound.
MemberJanuary 20, 2023 at 9:09 pm
These words – I am not sure indicate that the EC2 instances are servers in the scenario – The EC2 cluster also connects to a third-party API – seems the cluster is calling the API, so outbound will be on well known ports (80 and 443). Inbound will be on ephemeral.
Please do let me know what you think.
Log in to reply.