Exam AWS Certified Security - Specialty topic 1 question 173 discussion

DEF. A wrong. NAT is not related here B wrong. You cannot configure the IGW C wrong. SG cannot DENY traffic

D,E,F are valid

DEFinitely the correct answers in this case.

Agree DEF, agree with reasoning

A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured. - Bastion Host setup doesn't require NAT Gateway - Incorrect Option. B. The internet gateway of the VPC has been misconfigured. - Correct - If IGW never attached to VPC, you get connection timeout. C. The security group denies outbound traffic on ephemeral ports. - Incorrect - SG is stateful, and as per the scenario, it is inbound connection happens from public internet towards bastion hosts. D. The route table is missing a route to the internet gateway. - Correct. E. The NACL denies outbound traffic on ephemeral ports. - Correct. F. The host-based firewall is denying SSH traffic. - If this is the case, we get connection refused error not connection timeout, so this is incorrect. Answer is BDE.

DEF - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html

Not sure why no one gave the exact link https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html#TroubleshootingInstancesCommonCauses

A - It's many:1 NAT, that's what NAT GW is doing, it's used for outboudn connectivity - No B - You can only attach IGW, there's nothing that can be misconfigured - No C - SGs are statefull, you don't need to open traffic in opposite direction - No D - Correct answer, you need to have a default route 0.0.0.0/0 towards IGW - Yes E - NACLS are stateless you need to allow TCP/22 Inbound and TCP 1024-65535 outbound, those are socalled higher or ephemeral ports - Yes F - Correct, you can implement firewall on os level - Yes

DEF. A. NAT is for private subnet and cannot be accessed from internet B. IGW is configured to public subnet not for vpc C. SG is state-full so you don't need the ephemeral ports

It must to add ephemeral ports for ACL

The reference given is correct https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.html Answer would be DEF.

The question says: Either the connection does not reply or the following error message is generated: Connection ran out due to a network problem. Options A, D and F A. The NAT gateway in the subnet where the EC2 instance is deployed has been misconfigured. ===> NAT gateway is used for private subnets to connect to external world, so it could be the problem of not replying the connection... B. The internet gateway of the VPC has been misconfigured. ===> It could be, but you can't configure a internet gateway. C. The security group denies outbound traffic on ephemeral ports. ===> ephemeral ports is just for web servers when the browser picks any port to communicate, which is not the case of ssh. D. The route table is missing a route to the internet gateway. ===> could be a route problem... E. The NACL denies outbound traffic on ephemeral ports.===> the same as C... F. The host-based firewall is denying SSH traffic. ===> it could be...

Agree with PeppaPig's reasoning I have never seen an error message like 'Connection ran out due to a network problem' :-)

Short description Error message: "ssh: connect to host ec2-X-X-X-X.compute-1.amazonaws.com port 22: Connection timed out". This error message comes from the SSH client. The error indicates that the server didn't respond to the client and the client program gave up (timed out). The following are common causes for this error: The security group or network ACL doesn't allow access. There is a firewall on the instance's operating system. There is a firewall between the client and the server. The host doesn't exist. https://aws.amazon.com/premiumsupport/knowledge-center/ec2-linux-resolve-ssh-connection-errors/ As per this article it should be C,E,F. Let me know your thoughts ? Happy to hear

Has anyone seen or heard error message “connection ran out”? This is infact making question little misleading, however DEF are the only ones that make sense.