MemberOctober 24, 2023 at 1:17 am
On this question regrading a NAT instance setup:
“A company hosts its multi-tiered web application on a fleet of Auto Scaling EC2 instances spread across two Availability Zones. The Application Load Balancer is in the public subnets and the Amazon EC2 instances are in the private subnets. After a few weeks of operations, the users are reporting that the web application is not working properly. [… more …]”
This answer was marked wrong:
“One of the subnets in the VPC has a misconfigured Network ACL that blocks outbound traffic to the third-party provider. Update the network ACL to allow this connection and configure IAM permissions to restrict these changes in the future.”
The correct answer was essentially “replace with a NAT gateway”, which is not wrong, but neither is this one. The explanation for why this was incorrect said:
“Network ACLs affect all the subnets associated with it. If there is a misconfigured rule, the other subnets will be affected too, […]”
That’s not true. Although I can use the same network ACL for all subnets, I don’t have to. And since the question specifically said “ONE of the subnets”, that seemed to be an indication that they were different.
AdministratorOctober 25, 2023 at 4:48 am
Thank you for your feedback.
I understand your point about the phrasing “ONE of the subnets.” I can see how that could be open to other interpretations. However, our intention was to focus on the subnets associated with the web application being discussed in the scenario. Hence, the rationale explaining why changing the NACL’s rule would impact all the subnets connected to that NACL.
Your feedback is invaluable, and we’ll strive to make our explanations as clear as possible in the future.
Carlo @ Tutorials Dojo
Log in to reply.