ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Professional SAP-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Professional SAP-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 255 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Professional SAP-C02
Question #: 255
Topic #: 1
[All AWS Certified Solutions Architect - Professional SAP-C02 Questions]

A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from hundreds of AWS accounts. AWS PrivateLink is being used to provide connectivity between the client services and the logging service.

In each AWS account with a client, an interface endpoint has been created for the logging service and is available. The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The clients are unable to submit logs using the VPC endpoint.

Which combination of steps should a solutions architect take to resolve this issue? (Choose two.)

  • A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets. Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service subnets running on EC2 instances.
  • B. Check that the NACL is attached to the logging service subnets to allow communications to and from the interface endpoint subnets. Check that the NACL is attached to the interface endpoint subnet to allow communications to and from the logging service subnets running on EC2 instances.
  • C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets.
  • D. Check the security group for the logging service running on EC2 instances to ensure it allows ingress from the clients.
  • E. Check the security group for the NLB to ensure it allows ingress from the interface endpoint subnets.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
by shree2023 at June 24, 2023, 6:45 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
magmichal05
Highly Voted 1 year, 2 months ago
Selected Answer: AC
When you associate a Network Load Balancer with an endpoint service, the Network Load Balancer forwards requests to the registered target. The requests are forwarded as if the target was registered by IP address. In this case, the source IP addresses are the private IP addresses of the load balancer nodes. If you have access to the Amazon VPC endpoint service, then verify that: The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes The rules within the network ACL associated with the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint
upvoted 14 times
...
red_panda
Highly Voted 7 months, 2 weeks ago
Selected Answer: AC
A and C. The flow is: Application -> NLB -> Logging Monitor Tool. So we need to check NACL of NLB subnets (in and out from applications client and in and out to EC2 subnet) and Security group (Statefull, so only ingress) of EC2 Instances of Logging Monitor Tool.
upvoted 6 times
...
loreeant
Most Recent 1 week ago
Selected Answer: BC
Option A is incorrect because it focuses on communication between the NLB subnets and the logging service subnets, which is not the primary path for PrivateLink traffic.
upvoted 1 times
...
Longc
2 months, 2 weeks ago
Selected Answer: CE
To resolve connectivity issues between clients using VPC endpoints and the logging service: NLB Security Group (Option E): The NLB must allow traffic from the subnets where the client's interface endpoints reside. Since clients connect via PrivateLink, the NLB’s security group must permit ingress from the CIDR blocks of the client’s interface endpoint subnets. EC2 Security Group (Option C): The EC2 instances hosting the logging service must allow traffic from the NLB’s subnets. The NLB forwards traffic to the EC2 instances, and their security group must permit ingress from the NLB’s subnet CIDRs (or the NLB’s security group).
upvoted 1 times
...
eesa
3 months ago
Selected Answer: BE
B.- Network ACLs operate at the subnet level and could be blocking traffic between: The interface endpoints (created in each AWS account) and the logging service's subnets. The logging service subnets and the interface endpoint subnets. AWS PrivateLink uses interface endpoints, and the NACL must allow inbound/outbound traffic between the interface endpoint subnets and the EC2 instances running the logging service. E.-The interface endpoint in each AWS account connects to the NLB. If the NLB security group does not allow ingress from the interface endpoint subnets, traffic from the clients will be dropped.
upvoted 1 times
...
titi_r
7 months, 1 week ago
Selected Answer: AC
A and C. https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint
upvoted 2 times
...
BrijMohan08
7 months, 3 weeks ago
Selected Answer: BD
B. Network Access Control Lists (NACLs) act as a firewall at the subnet level. To ensure communication between the interface endpoint subnets and the logging service subnets running on EC2 instances, the NACLs attached to both subnets should be configured to allow the necessary traffic. D. Security groups act as virtual firewalls at the instance level. To allow clients to submit logs to the logging service running on EC2 instances, the security group associated with the EC2 instances should be configured to allow ingress traffic from the clients' IP addresses or security groups.
upvoted 2 times
altonh
3 months, 3 weeks ago
The EC2 will not receive the interface endpoint IP but the NLB's IP instead.
upvoted 1 times
...
...
chelbsik
10 months, 2 weeks ago
Selected Answer: CE
CE: we only need to allow access from client -> NLB -> application
upvoted 3 times
...
Mehrannn
11 months, 3 weeks ago
Selected Answer: BD
B&D are correct answers. Rational: EC2s and NLB are both in one subnet, so the NACL is associated with one subnet and there is no NACL which controls EC2 and NLB communication --> A is not Valid, C is not Valid. Security groups are attached to EC2s --> E is not Valid
upvoted 1 times
7f6aef3
7 months, 3 weeks ago
The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets.
upvoted 1 times
...
...
duriselvan
1 year ago
guys .pls B,E ans e:- The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes
upvoted 1 times
...
duriselvan
1 year ago
CE is ans The clients are trying to connect to the logging service through the NLB. The NLB needs to forward the requests to the EC2 instances running the logging service. Therefore, both the NLB and the EC2 instances need to have security group rules allowing inbound traffic from each other's subnets.
upvoted 2 times
...
ayadmawla
1 year ago
Selected Answer: AC
Link below seems to confirm it. The focus is on the Provider VPC so the question wasn't really that clear. https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint
upvoted 3 times
...
career360guru
1 year ago
Selected Answer: AC
A and C
upvoted 1 times
...
severlight
1 year, 1 month ago
Selected Answer: AC
see magmichal05's answer
upvoted 1 times
...
dpatra
1 year, 2 months ago
Selected Answer: BE
B is pretty clear plus E is valid as well since AWS has introduced support for associating security groups with Network Load Balancers (NLBs).
upvoted 1 times
...
Certified101
1 year, 2 months ago
Selected Answer: AC
AC - NLB needs to be allowed to the instances otherwise targets are unhealthy
upvoted 1 times
...
cmoreira
1 year, 3 months ago
Selected Answer: AC
AC 3rd point on https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#considerations-endpoint-services
upvoted 3 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel