Find answers, ask questions, and connect with our
community around the world.

  • truleuneek

    September 24, 2023 at 12:02 pm

    Topic-Based: VPC
    Category: CSAA – Design Secure Architectures

    A company hosted a web application on a Linux Amazon EC2 instance in the public subnet that uses a default network ACL. The instance uses a default security group and has an attached Elastic IP address. The network ACL has been configured to block all traffic to the instance. The Solutions Architect must allow incoming traffic on port 443 to access the application from any source.

    Which combination of steps will accomplish this requirement? (Select TWO.)

    The answer of “In the Network ACL, update the rule to allow inbound TCP connection on port 443 from source and outbound TCP connection on port 32768 – 65535 to destination″ seems wrong.
    My reasoning: The subnet is using a default NACL. That means all traffic is allowed in and out. Another sentence says NACL has been configured to block all traffic TO the instance. The solution should be to allow inbound traffic on port 443. The outbound traffic is already allowed because it is a default NACL.

    Am I missing something or is the question or answer incorrect?

  • Carlo-TutorialsDojo

    September 27, 2023 at 4:32 am

    Hello truleuneek,

    Thank you for sharing your feedback.

    I understand your concern. Yes, it’s true that a default NACL allows all inbound and outbound rules. In the context of the scenario, allowing the ephemeral ports in the outbound rule is indeed unnecessary since there’s already an existing one that permits any traffic to pass through. We’ll revise the scenario to ensure it aligns with the correct answers.

    Let me know if you have any questions.


    Carlo @ Tutorials Dojo

Viewing 1 - 2 of 2 replies

Log in to reply.

Original Post
0 of 0 posts June 2018