ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 53 discussion

Exam question from Amazon's ANS-C00
Question #: 53
Topic #: 1
[All ANS-C00 Questions]

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route
(0.0.0.0/0) configured with a target of the Internet gateway.
The instance has a security group configured to allow as follows:
✑ Protocol: TCP
✑ Port: 80 inbound and nothing outbound
The Network ACL for the subnet is configured to allow as follows:
✑ Protocol: TCP
✑ Port: 80 inbound and nothing outbound
When you try to browse to the web server, you receive no response.
Which additional step should you take to receive a successful response?

  • A. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
  • B. Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
  • C. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
  • D. Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by route53 at July 9, 2019, 10:50 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
route53
Highly Voted 3 years, 8 months ago
I think its D - When the reply packet goes from the web server to internet, source port =80 destination port = can be anything between 1024-65535 Since NACLs looks at the destination port answer should be D
upvoted 28 times
learningaws
3 years, 7 months ago
Completely agree!!
upvoted 1 times
...
...
psuthar0101
Highly Voted 3 years, 6 months ago
I did simulate this problem by blocking outbound rules in NACL as well ass security group. Ass per my investigation EC2 (web server) need ephermal ports (1024 - 65535) allowed in order to respond back to HTTP GET request. Soo answer-D is correct.
upvoted 8 times
sapien45
3 years, 2 months ago
thanks ephemeral ports are always a mystery to me
upvoted 1 times
...
...
Raphaello
Most Recent 1 year, 1 month ago
Selected Answer: D
D is correct.
upvoted 1 times
...
etarga
2 years, 4 months ago
Selected Answer: D
Correct Answer D
upvoted 1 times
...
Marty2021
2 years, 11 months ago
Selected Answer: D
It is D, as you havent't allowed ephemeral ports on the outbound NACL, the request will ingress on port 80 to the server from the client, the server will respond on an ephemeral (port 1024-65535) which and the egress response be blocked by the outbound NACL
upvoted 2 times
...
nklocal
2 years, 11 months ago
D is correct
upvoted 1 times
...
clooudy
3 years ago
Selected Answer: D
A,B are out since SG is stateful, only need to have inbound rule to allow port 80 C is out return packet use ports 1024-65535 not Port 80 Answer D
upvoted 2 times
...
tuberculat
3 years, 7 months ago
Answer should be B and/or D. Security AND NACL outbound is not configured. both should have ephemeral ports opened for connectivity.
upvoted 1 times
MaikM
3 years, 6 months ago
B is wrong. Security groups do not need outbound allowed because they are stateful. Inbound is already allowed. D is OK
upvoted 3 times
...
...
kvirk
3 years, 7 months ago
D is correct
upvoted 2 times
...
sleekdunga
3 years, 7 months ago
Answer:D To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port. The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL. https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/
upvoted 7 times
...
OKMAN
3 years, 7 months ago
I am bit confused .. It says in the Q there no NACL outbound for port 80 is configured right? NACL is Stateless , So NACL outbound port 80 need be added right ? The communications is through port 80 right ? please advise !!
upvoted 1 times
...
BillyC
3 years, 7 months ago
Yes D its correct
upvoted 7 times
...
learningaws
3 years, 7 months ago
Should be allowed ephemeral ports on outbound NACL. So it's D.
upvoted 2 times
...
kab
3 years, 7 months ago
I agree, D is the right answer.
upvoted 4 times
...
dpvnme
3 years, 7 months ago
DDDDDDDD
upvoted 5 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago