ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 256 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 256
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

Application A runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2 instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB. Other applications from an on-premises environment cannot communicate with Application A on port 8080.

To troubleshoot the issue, a SysOps administrator analyzes the flow logs. The flow logs include the following records:



What is the reason for the rejected traffic?

  • A. The security group of the EC2 instances has no Allow rule for the traffic from the NLB.
  • B. The security group of the NLB has no Allow rule for the traffic from the on-premises environment.
  • C. The ACL of the on-premises environment does not allow traffic to the AWS environment.
  • D. The network ACL that is associated with the subnet does not allow outbound traffic for the ephemeral port range.
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by csG13 at March 8, 2023, 6:26 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
March2023
11 months, 2 weeks ago
Selected Answer: D
D is correct
upvoted 2 times
...
walala97
1 year, 3 months ago
Selected Answer: D
flow log->vpc->nnetwork acl
upvoted 2 times
...
ahrentom
1 year, 4 months ago
Selected Answer: B
I go with Vivec !!!
upvoted 1 times
...
xSohox
1 year, 6 months ago
Selected Answer: D
Correct answer here is D. But you need to take to consideration that question can be changed on the exam, because from Aug 10, 2023 NLB started supporting Security groups. https://aws.amazon.com/about-aws/whats-new/2023/08/network-load-balancer-supports-security-groups/
upvoted 1 times
...
Gomer
1 year, 9 months ago
Selected Answer: D
The example from the link exactly matches "D" (other than the question example is using HTTP/8080 web proxy port instead of link ICMP example which doesn't show ports). Security group and network ACL rules [...] - "An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance." - "A REJECT record for the response ping that the network ACL denied." [...] 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK [...] 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups
upvoted 1 times
...
noahsark
1 year, 10 months ago
Selected Answer: D
The network ACL that is associated with the subnet does not allow outbound traffic for the ephemeral port range. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html
upvoted 1 times
...
michele_scar
1 year, 10 months ago
Selected Answer: D
The traffic isn't going out, so the SG is correct but not the outbound ACL rule.
upvoted 1 times
...
atseki
1 year, 11 months ago
I go for D. If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#:~:text=1431280876%201431280934%20%2D%20SKIPDATA-,Security%20group%20and%20network%20ACL%20rules,-If%20you%27re%20using
upvoted 3 times
...
Vivec
1 year, 11 months ago
Selected Answer: B
According to the flow log record shown in the picture, the traffic is rejected by the security group of the NLB, which means that the traffic is not reaching the EC2 instances. The source IP address in the flow log is from an on-premises environment, which indicates that the issue is related to the communication between the on-premises environment and the NLB. Since the NLB is the entry point for the traffic to reach the EC2 instances, it is important to ensure that the security group of the NLB allows traffic from the on-premises environment. The security group rules should allow inbound traffic from the IP addresses or the CIDR blocks of the on-premises environment on the relevant port (8080 in this case).
upvoted 1 times
ahrentom
1 year, 4 months ago
"Other applications from an on-premises environment cannot communicate with Application A on port 8080" means that from the provided sreenshot 192.168.0.13 is the NLB and 172.31.16.139 is tan OnPrem instance. To have this in mind the communicatin from OnPrem to NLB is reject on port 8080. The only right anwser could only be a security group which is blocking port 8080. I go with Vivec, the right anwser is B
upvoted 1 times
...
Vivec
1 year, 11 months ago
Option D is incorrect because if the network ACL that is associated with the subnet did not allow outbound traffic for the ephemeral port range, the flow log record would have shown that the traffic was rejected by the network ACL.
upvoted 2 times
...
...
csG13
1 year, 11 months ago
Selected Answer: D
I’ll go for D. Looks like that NACL allows inbound traffic from ephemeral port range, but doesn’t allow outbound.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel