Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 255 discussion

When you associate a Network Load Balancer with an endpoint service, the Network Load Balancer forwards requests to the registered target. The requests are forwarded as if the target was registered by IP address. In this case, the source IP addresses are the private IP addresses of the load balancer nodes. If you have access to the Amazon VPC endpoint service, then verify that: The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes The rules within the network ACL associated with the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint

A and C. The flow is: Application -> NLB -> Logging Monitor Tool. So we need to check NACL of NLB subnets (in and out from applications client and in and out to EC2 subnet) and Security group (Statefull, so only ingress) of EC2 Instances of Logging Monitor Tool.

To resolve connectivity issues between clients using VPC endpoints and the logging service: NLB Security Group (Option E): The NLB must allow traffic from the subnets where the client's interface endpoints reside. Since clients connect via PrivateLink, the NLB’s security group must permit ingress from the CIDR blocks of the client’s interface endpoint subnets. EC2 Security Group (Option C): The EC2 instances hosting the logging service must allow traffic from the NLB’s subnets. The NLB forwards traffic to the EC2 instances, and their security group must permit ingress from the NLB’s subnet CIDRs (or the NLB’s security group).

B.- Network ACLs operate at the subnet level and could be blocking traffic between: The interface endpoints (created in each AWS account) and the logging service's subnets. The logging service subnets and the interface endpoint subnets. AWS PrivateLink uses interface endpoints, and the NACL must allow inbound/outbound traffic between the interface endpoint subnets and the EC2 instances running the logging service. E.-The interface endpoint in each AWS account connects to the NLB. If the NLB security group does not allow ingress from the interface endpoint subnets, traffic from the clients will be dropped.

A and C. https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint

B. Network Access Control Lists (NACLs) act as a firewall at the subnet level. To ensure communication between the interface endpoint subnets and the logging service subnets running on EC2 instances, the NACLs attached to both subnets should be configured to allow the necessary traffic. D. Security groups act as virtual firewalls at the instance level. To allow clients to submit logs to the logging service running on EC2 instances, the security group associated with the EC2 instances should be configured to allow ingress traffic from the clients' IP addresses or security groups.

CE: we only need to allow access from client -> NLB -> application

B&D are correct answers. Rational: EC2s and NLB are both in one subnet, so the NACL is associated with one subnet and there is no NACL which controls EC2 and NLB communication --> A is not Valid, C is not Valid. Security groups are attached to EC2s --> E is not Valid

guys .pls B,E ans e:- The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes

CE is ans The clients are trying to connect to the logging service through the NLB. The NLB needs to forward the requests to the EC2 instances running the logging service. Therefore, both the NLB and the EC2 instances need to have security group rules allowing inbound traffic from each other's subnets.

Link below seems to confirm it. The focus is on the Provider VPC so the question wasn't really that clear. https://repost.aws/knowledge-center/security-network-acl-vpc-endpoint

A and C

see magmichal05's answer

B is pretty clear plus E is valid as well since AWS has introduced support for associating security groups with Network Load Balancers (NLBs).

AC - NLB needs to be allowed to the instances otherwise targets are unhealthy

AC 3rd point on https://docs.aws.amazon.com/vpc/latest/privatelink/create-endpoint-service.html#considerations-endpoint-services

https://www.examtopics.com/discussions/amazon/view/36058-exam-aws-certified-solutions-architect-professional-topic-1/