ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified SysOps Administrator - Associate All Questions

View all questions & answers for the AWS Certified SysOps Administrator - Associate exam
Go to Exam

Exam AWS Certified SysOps Administrator - Associate topic 1 question 276 discussion

Exam question from Amazon's AWS Certified SysOps Administrator - Associate
Question #: 276
Topic #: 1
[All AWS Certified SysOps Administrator - Associate Questions]

A company website contains a web tier and a database tier on AWS. The web tier consists of Amazon EC2 instances that run in an Auto Scaling group across two Availability Zones. The database tier runs on an Amazon RDS for MySQL Multi-AZ DB instance. The database subnet network ACLs are restricted to only the web subnets that need access to the database. The web subnets use the default network ACL with the default rules.

The company's operations team has added a third subnet to the Auto Scaling group configuration. After an Auto Scaling event occurs, some users report that they intermittently receive an error message. The error message states that the server cannot connect to the database. The operations team has confirmed that the route tables are correct and that the required ports are open on all security groups.

Which combination of actions should a SysOps administrator take so that the web servers can communicate with the DB instance? (Choose two.)

  • A. On the default ACL, create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets.
  • B. On the default ACL, create outbound Allow rules of type MySQL/Aurora (3306). Specify the destinations as the database subnets.
  • C. On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet.
  • D. On the network ACLs for the database subnets, create an outbound Allow rule of type TCP with the ephemeral port range and the destination as the third web subnet.
  • E. On the network ACLs for the database subnets, create an outbound Allow rule of type MySQL/Aurora (3306). Specify the destination as the third web subnet.
Show Suggested Answer Hide Answer
Suggested Answer: CD 🗳️
by Gomer at May 2, 2023, 5:54 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Gomer
Highly Voted 1 year ago
Selected Answer: CD
The simplified logic I came up with is if the same existing/working public NACL is applied to the new pub subnet, then no change should need to be made to the rules. On the other hand, the custom DB subnet NACL needs to have new incoming/outgoing rules to also operate with the new public subnet. Incoming is always going to be 3306 to the DB listener (MySQL). Outgoing is always going to be ephemeral from the DB server to public subnet. I must be slow or tired, but It took some effort for this to become clear in my mind tonight. Your only allowing an existing subnet, and you don't want to touch any existing configurations or your going to create a new problem and maybe be looking for a new job. I'd always document a checklist before doing something this, and run it through peer review and change control before touching prod. I'd turn those notes into a SOP and include any references I could fine documenting AWS best practices, etc. Enough said.
upvoted 9 times
Gomer
1 year ago
I meant to say "your only allowing a NEW subnet and you don't want to touch any existing configurations..."
upvoted 2 times
...
...
jipark
Most Recent 8 months, 3 weeks ago
Selected Answer: CD
C. allow inbound to DB, D. allow outbound for return port
upvoted 4 times
...
Christina666
9 months, 2 weeks ago
Selected Answer: AC
To ensure that the web servers can communicate with the DB instance after adding the third subnet to the Auto Scaling group configuration, you need to make changes to the network ACLs. The network ACLs control the traffic flow in and out of the subnets. Here are the two actions you should take: A. On the default ACL, create inbound Allow rules of type TCP with the ephemeral port range and the source as the database subnets. Explanation: By allowing inbound TCP traffic with the ephemeral port range (usually ports 1024-65535) from the database subnets to the web subnets, you enable communication between the web tier and the database tier. The web servers use these ephemeral ports as source ports when connecting to the database on port 3306.
upvoted 2 times
Christina666
9 months, 2 weeks ago
C. On the network ACLs for the database subnets, create an inbound Allow rule of type MySQL/Aurora (3306). Specify the source as the third web subnet. Explanation: This allows inbound MySQL/Aurora (3306) traffic from the third web subnet to the database subnet. Since the error message states that the server cannot connect to the database intermittently, it suggests that the third subnet is being used during scaling events, and this rule will enable the web servers in the new subnet to connect to the database.
upvoted 1 times
...
Christina666
9 months, 2 weeks ago
Sorry, I vote for CD as well, please correct @examptopics link: https://repost.aws/knowledge-center/resolve-connection-sg-acl-inbound
upvoted 3 times
Christina666
9 months, 2 weeks ago
To turn on the connection to a service running on an instance, the associated network ACL must allow the following: Inbound traffic on the port that the service is listening on Outbound traffic to ephemeral ports When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port. The designated ephemeral port becomes the destination port for return traffic from the service. Outbound traffic to the ephemeral port must be allowed in the network ACL. For more information on modifying network ACL rules, see Add and delete rules. By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you need to explicitly allow traffic to the ephemeral port range.
upvoted 3 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago