Exam ANS-C00 topic 1 question 26 discussion

Should be B.... Ref: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance.

B is correct. I built a setup in AWS to check. 2 432927501311 eni-03dd2eabc26a7e618 172.31.13.215 10.1.0.219 0 0 1 7 588 1582377988 1582378048 ACCEPT OK 2 432927501311 eni-03dd2eabc26a7e618 10.1.0.219 172.31.13.215 0 0 1 20 1680 1582377988 1582378108 ACCEPT OK 2 432927501311 eni-03dd2eabc26a7e618 172.31.13.215 10.1.0.219 0 0 1 13 1092 1582378071 1582378108 REJECT OK

Correct Answer B

Correct Answer B

Careful with the flow-log fields (packets, bytes, start, end). The only plausible answer is B.

B is Correct. Remember the difference between the NACL and the SG, notice that ingress traffic is permitted, it’s the return egress traffic that is rejected…Thisnis not only about AWS, it’s about basic networking.

With SG and NACL there is 4 log entries. Order is 1. NACL Inbound-> SG (request) 2. SG -> NACL Outbound (response) This case it is B 3 ACCEPTs and 1 REJECT. If Security Group doesn't allow, then the first 1 ACCEPT, 3 REJECTs

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html SG is stateful, means if you allow on inbound, outbound is also allowed, so the 2 lines mean that SG is fine and allow ICMP, one ping send, one ping respond. The 3rd line indicates that the NACL outbound is REJECT. (Source IP is EC2, Dest. IP is outside)

C is Correct. The flow logs are showing two separate ping connections. The first two lines, belong to a successful ping request/response originated from Cloud host to on-prem Server. That confirms that NACL are permitting in both directions because they are stateless. It confirm Sec Group is permitting outbound ICMP from Cloud host. The 3rd line is dropping ping requests from On-Prem to Cloud host therefore no response is generated. Since NACL are not the issue, its the inbound Sec Group on the Cloud host dropping inbound ICMP.

A or D should work. But for ALB, while setup target group, it's a CIDR, not IP

I mean B, the Outbound NACL is blocking.

The answer should D. NACL-In Allowed (4 packets); SG-In allowed (4 packets); SG-Out allowed (4 packets); the NACL-Out Denied (4 packets REJECTs)

Traffic order is User->in NACL-> in SG -> EC2->out SG -> out NACL. Now ec2 could send a packet to on-premise user(second flow logs action is Accept), so the order before EC2 is allowed. So out SG is allowed(SG is stateful). So the out NACL block the out traffic. So B. OK?

Answer is B, we have TWO accepts, so B is correct. Ref: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance.

B is correct

On the second line, the outbound packet is confirmed normally after the inbound packet. however, the last line only sent outbound packets without inbound packets, so the status information determines whether or not to block them. So I go with D

Maybe D. The 1st trail has 8 packets of 672 bytes. First 336 bytes went thru successfully but the 2nd 336 bytes failed due to outbound SG rule.