ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Advanced Networking - Specialty ANS-C01 All Questions

View all questions & answers for the AWS Certified Advanced Networking - Specialty ANS-C01 exam
Go to Exam

Exam AWS Certified Advanced Networking - Specialty ANS-C01 topic 1 question 51 discussion

Exam question from Amazon's AWS Certified Advanced Networking - Specialty ANS-C01
Question #: 51
Topic #: 1
[All AWS Certified Advanced Networking - Specialty ANS-C01 Questions]

A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.
The SQS queue is not receiving messages.
Which of the following are possible causes of this problem? (Choose two.)

  • A. The EC2 instance is not attached to an IAM role that allows write operations to Amazon SQS.
  • B. The security group is blocking traffic to the IP address range used by Amazon SQS
  • C. There is no interface VPC endpoint configured for Amazon SQS
  • D. The network ACL is blocking return traffic from Amazon SQS
  • E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
by zaazanuna at March 19, 2023, 12:45 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
study_aws1
Highly Voted 2 years, 3 months ago
It is A) and C) A - EC2 requires IAM role that allows write operations to Amazon SQS C - Being in private subnet, interface endpoint is required to access SQS
upvoted 15 times
Mr_Marcus
2 years, 3 months ago
A - Agreed. See Note at top of page. https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-basic-examples-of-iam-policies.html C - Agreed. https://www.linkedin.com/pulse/aws-interface-endpoint-vs-gateway-alex-chang/
upvoted 3 times
...
...
dremm
Highly Voted 2 years, 2 months ago
Selected Answer: AC
A and C are correct. C - VPC has no public subnet , therefore VPC interface endpoint is needed to get to SQS A- IAM roles are also needed for write operations B- Incorrect , default SG allows 0.0.0.0/0 on any port for outbound traffic from EC2 D- Incorrect, Network ACL allows 0.0.0.0/0 inbound by default E- Incorrect, Amazon SQS uses interface endpoint (privatelink), so no routes are needed in the routing table unlike Gateway Endpoints.
upvoted 5 times
rhinozD
2 years, 2 months ago
D - Incorrect, By default, Network ACL allows all inbound and OUTBOUND IPv4 traffic, if applicable, IPv6 traffic. I agree with you on the others.
upvoted 1 times
...
...
Spaurito
Most Recent 8 months ago
Option C and E - These are all on private subnets. NACL's untouched and should allow all in/outbound traffic by default. SQS being a public service, and no IGW, and you have to create the SQS endpoint, then you need to have a route for the connectivity. This makes the most sense.
upvoted 1 times
Spaurito
7 months, 2 weeks ago
Changing to AC. Even on private subnets should have no impact
upvoted 1 times
...
...
woorkim
8 months, 1 week ago
a &c for correct answer!
upvoted 1 times
...
Raphaello
1 year, 2 months ago
Selected Answer: AC
AC are the correct answers.
upvoted 1 times
...
Arad
1 year, 8 months ago
Selected Answer: AC
For sure A and C.
upvoted 1 times
...
Mishranihal737
1 year, 10 months ago
Yes A & C are correct. E is incorrect as Routes are needed for gateway endpoints only.
upvoted 1 times
...
sp237
1 year, 11 months ago
A and C https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-sending-messages-from-vpc.html
upvoted 1 times
...
[Removed]
1 year, 11 months ago
Selected Answer: CE
Option A is incorrect because the EC2 instance does not need an IAM role to send messages to an Amazon SQS queue. Option B is incorrect because the default security group allows all outbound traffic. Option C is correct because there is no interface VPC endpoint configured for Amazon SQS . Option D is incorrect because the network ACL allows all inbound and outbound traffic. Option E is correct because SQS could be on a different address range and routes are not setup.
upvoted 1 times
...
[Removed]
1 year, 11 months ago
Option A is incorrect because the EC2 instance does not need an IAM role to send messages to an Amazon SQS queue. Option B is incorrect because the default security group allows all outbound traffic. Option C is correct because there is no interface VPC endpoint configured for Amazon SQS . Option D is incorrect because the network ACL allows all inbound and outbound traffic. Option E is correct because SQS could be on a different address range and routes are not setup.
upvoted 1 times
...
ITgeek
2 years, 2 months ago
Selected Answer: AC
A and C are correct
upvoted 2 times
...
devopsbro
2 years, 3 months ago
switching to A and C.
upvoted 4 times
...
devopsbro
2 years, 3 months ago
CD - Need VPC interface endpoint to communicate with SQS from private subnet. Default NACL will block all the inbound traffic.
upvoted 2 times
...
helloworldabc
2 years, 3 months ago
BBBBBBBEEEEEEE
upvoted 1 times
Mr_Marcus
2 years, 3 months ago
B is wrong. The default security group allows all outbound traffic, until modified. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html#default-security-group
upvoted 1 times
...
...
zaazanuna
2 years, 3 months ago
B, E - correct. B. The security group is blocking traffic to the IP address range used by Amazon SQS: By default, Amazon SQS uses the Amazon S3 endpoint for the region. If the default security group applied to the instance is blocking outbound traffic to the Amazon S3 endpoint, then the EC2 instance cannot send messages to the Amazon SQS queue. E. There is no route configured in the subnet route table for the IP address range used by Amazon SQS: The EC2 instance in the private subnet requires a route to the Amazon SQS endpoint. If there is no route configured in the subnet route table, then the traffic will not be able to reach the Amazon SQS service.
upvoted 1 times
rhinozD
2 years, 2 months ago
Both B and E are wrong. B: No, SG allows all outbound traffic. E: No, Event if you use the SQS Endpoint, it is an interface endpoint and you don't need to modify route table.
upvoted 1 times
...
Mr_Marcus
2 years, 3 months ago
B is wrong. The default security group allows all outbound traffic, until modified. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/default-custom-security-groups.html#default-security-group
upvoted 2 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel