MemberSeptember 24, 2023 at 12:02 pm
Category: CSAA – Design Secure Architectures
A company hosted a web application on a Linux Amazon EC2 instance in the public subnet that uses a default network ACL. The instance uses a default security group and has an attached Elastic IP address. The network ACL has been configured to block all traffic to the instance. The Solutions Architect must allow incoming traffic on port 443 to access the application from any source.
Which combination of steps will accomplish this requirement? (Select TWO.)
The answer of “In the Network ACL, update the rule to allow inbound TCP connection on port 443 from source 0.0.0.0/0 and outbound TCP connection on port 32768 – 65535 to destination 0.0.0.0/0″ seems wrong.
My reasoning: The subnet is using a default NACL. That means all traffic is allowed in and out. Another sentence says NACL has been configured to block all traffic TO the instance. The solution should be to allow inbound traffic on port 443. The outbound traffic is already allowed because it is a default NACL.
Am I missing something or is the question or answer incorrect?
AdministratorSeptember 27, 2023 at 4:32 am
Thank you for sharing your feedback.
I understand your concern. Yes, it’s true that a default NACL allows all inbound and outbound rules. In the context of the scenario, allowing the ephemeral ports in the outbound rule is indeed unnecessary since there’s already an existing one that permits any traffic to pass through. We’ll revise the scenario to ensure it aligns with the correct answers.
Let me know if you have any questions.
Carlo @ Tutorials Dojo
Log in to reply.