ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 253 discussion

Exam question from Amazon's AWS-SysOps
Question #: 253
Topic #: 1
[All AWS-SysOps Questions]

A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses
CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?

  • A. For Inbound allow Source: 20.0.1.0/24 on port 80
  • B. For Outbound allow Destination: 0.0.0.0/0 on port 80
  • C. For Inbound allow Source: 20.0.0.0/24 on port 80
  • D. For Outbound allow Destination: 0.0.0.0/0 on port 443
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the private subnet can connect to the internet using the NAT instances. The user should first configure that NAT can receive traffic on ports 80 and 443 from the private subnet. Thus, allow ports 80 and 443 in Inbound for the private subnet 20.0.1.0/24. Now to route this traffic to the internet configure ports 80 and 443 in Outbound with destination 0.0.0.0/0. The NAT should not have an entry for the public subnet CIDR.
by karmaah at Dec. 19, 2019, 11:58 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
karmaah
Highly Voted 2 years, 2 months ago
After some headache, I try to understand based on answers. DB connects to NAT from private subnet(20.0.1.0/24) for Internet connection thru http/https(ie,.80 or 443 ).So that , DB instance should be allowed as inbound in NAT SG. Hence A is required. Now NAT SG connects to internet(0.0.0.0) thru 80/443 which is Outbound.Hence B & D are Required. Remaining option C, which mentioned public subnet. it can be ignored.
upvoted 8 times
shimmy
2 years, 2 months ago
It is because 20.0.0.0/24 is in the public subnet so it does not need to go to the NAT instance. It already has public access.
upvoted 3 times
...
...
albert_kuo
Most Recent 6 months, 1 week ago
Selected Answer: C
ince the NAT instance is not intended to receive inbound traffic from the public subnet, this inbound rule is not necessary for the NAT security group. The primary purpose of the NAT instance is to handle outbound traffic and provide internet connectivity to the resources in the private subnet.
upvoted 1 times
...
sergioandreslq
2 years, 1 month ago
C correct: Reason: NAT instance is not used for inbound traffic from internet to reach public subnet, so, It is not required rule: "Inbound allow Source: 20.0.0.0/24 on port 80" because if there is a webserver on port 80, it will use another way for inbound traffic like EIP, ELB, CloudFront, API Gateway. A is required: DB instance in private subnet will send request to NAT instance from 20.0.0.0/24 to port 80 and port 443, so, the NAT instance should be allowed as inbound in NAT SG. B & D are Required: Now NAT SG connects to internet (0.0.0.0) using 80/443 which is Outbound. Outbound allow Destination: 0.0.0.0/0 on port 80 and Outbound allow Destination: 0.0.0.0/0 on port 443
upvoted 2 times
...
Kt45
2 years, 2 months ago
This question is a little confusing. I understand that C is the more correct answer but taken within context of the question we also don't need port 443 rules or need to allow traffic to and from on port 80 with the private subnet. It seems like this question is testing for general best practices for NAT instances rather than this specific scenario.
upvoted 1 times
Golddust
2 years, 2 months ago
They asked what is NOT required. I agree with you that 443 should be included but answering the question would be C. Since public IP will route through the Internet Gateway.
upvoted 1 times
...
...
AlbertEd
2 years, 2 months ago
Answer is A
upvoted 1 times
AlbertEd
2 years, 2 months ago
Answer is C.. I am networking guy.. But this is not make sense https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html
upvoted 1 times
...
Golddust
2 years, 2 months ago
They ask what is NOT required. A is the private subnet and it will be required.
upvoted 1 times
...
...
awscertified
2 years, 2 months ago
C. For Inbound allow Source: 20.0.0.0/24 on port 80
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel