Find answers, ask questions, and connect with our
community around the world.

  • jjreyn

    Member
    September 2, 2020 at 12:30 pm

    A financial company is launching an online web portal that will be hosted in an Auto Scaling group of Amazon EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). To allow HTTP and HTTPS traffic, the SysOps Administrator configured the Network ACL and the Security Group of both the ALB and EC2 instances to allow inbound traffic on ports 80 and 443. The EC2 cluster also connects to a third-party API that provides additional information on the site. However, the online portal is still unreachable over the public Internet after the deployment.

    How can the Administrator fix this issue?

    A. Allow ephemeral ports in the Network ACL by adding a new rule to allow outbound traffic on ports 1024 – 65535.

    B. Allow ephemeral ports in the Security Group by adding a new rule to allow outbound traffic on ports 1024 – 65535.

    C. In the Network ACL, add a new rule to allow outbound traffic on port 80 and port 443.

    D. In the Network ACL, add a new rule to allow inbound traffic on ports 1024 – 65535.

    E. In the Security Group, add a new rule to allow outbound traffic on port 80 and port 443.

    Wouldn’t A,C,D,and E all be needed? A to allow egress back in through the NACL. C to allow calls to the API to go out, D to allow API responses, and E to allow calls to the API through the security group?

    The correct answer only has A and C — for C to work, you would also need to do D and E, no?

    Thanks in advance!

    Also — this question does not specify how many answers to choose.

  • TutorialsDojo-Support

    Member
    September 22, 2020 at 5:30 pm

    Hello jjreyn,

    Thanks for bringing up the question. We have already updated the question to be a multiple-choice (Select TWO). This change will be reflected in our practice tests soon.

    This AWS Knowledge Center reference might help you:

    To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client’s source port.

    https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/

    I hope this helps.

    Let us know if you need further assistance. The Tutorials Dojo team is dedicated to helping you pass your AWS exam on your first try!

    Regards,

    Gerome Pagatpatan @ Tutorials Dojo

  • TutorialsDojo-Support

    Member
    September 22, 2020 at 10:59 pm

    Hello jjreyn,

    In addition to the answer provided by Gerome.

    The correct answer only has A and C — for C to work, you would also need to do D and E, no?

    >> You will need A, because the EC2 instance will need to reply to inbound traffic (port 80 and 443), the Outbound traffic for that will be ephemeral ports 1024 – 65535

    >> You will need C, because you need to call third-party API with the ports HTTP and HTTPS

    >> You don’t need D, because inbound traffic is only limited to Port 80 and port 443. You don’t need inbound traffic for ephemeral ports. NACLs have independent inbound and outbound rules.

    >> You don’t need E, as Security Groups are stateful, traffic will be allowed outbound if you already have an Inbound rule for it.

    Let us know if you need further assistance.

    Regards,

    Kenneth Samonte @ Tutorials Dojo

  • jjreyn

    Member
    September 22, 2020 at 11:48 pm

    Without E, the system will be unable to initiate the connection through the sg to the third party APIs. Assuming E is in place, the responses from the third party APIs will come back in on ephemeral ports, so Ithose need to be opened up on the NACL (D).
    So the overall flow for the API communication should be:

    Outbound API call goes out through the SG (allowed by E), then out through the NACL (allowed by C), and reaches the destination whereupon a response is returned. The response is on an ephemeral port (allowed by D). The SG is stateful so “B” is not needed or desired.

    BTW — I’ve passed the sysops exam so this question isn’t really relevant for me any more.

    Thanks!
    -JJ

  • TutorialsDojo-Support

    Member
    September 23, 2020 at 9:21 am

    Hello jjreyn,

    Congratulations on passing the exam! Well done! We at Tutorials Dojo are happy to hear that you found our content useful.

    We hope to see you in our other AWS practice test courses. 🙂

    Regards,

    Gerome @ Tutorials Dojo

Log in to reply.

Original Post
0 of 0 posts June 2018
Now