Exam AWS Certified Solutions Architect - Professional topic 1 question 647 discussion

A&C are correct. NLB will see traffic from interface endpoint subnet and logging service subnet. Logging service SG will see traffic only from NLB IP.

A&C. The client of the Logging service running on EC2 is NLB and not the interface endpoint. the flow is Client->VPCE(PrivateLink)->NLB->Logging service. So the answer is A & C 100%.

A: NACLs for communication between NLB and logging service subnets are irrelevant as they reside within the same VPC. C: Security groups for communication between NLB and logging service EC2 instances are managed internally by the NLB. D: Clients don't directly communicate with logging service EC2 instances; they interact via the NLB. regarding B, For successful communication, NACLs attached to the logging service subnets must explicitly allow inbound traffic from the interface endpoint subnets. This ensures that traffic originating from the client services, passing through the interface endpoints, is permitted to enter the logging service subnets and reach the EC2 instances hosting the logging application.

https://aws.amazon.com/premiumsupport/knowledge-center/security-network-acl-vpc-endpoint/ 1. The Inbound security group rules of the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes The rules within the network ACL associated with the Network Load Balancer’s targets allow communication from the private IP address of the Network Load Balancer nodes

B +D is corect

I think A&D and include C. With NLB, for security group attached to target EC2 instance (front by NLB) need to allow not only IP of NLB but also IP from client (If target type is an instance), assume that we use EC2 only, so target type instance is fitted. https://aws.amazon.com/premiumsupport/knowledge-center/security-group-load-balancer/

Agree with AC: NLB

A is not correct. The Q states "The logging service is deployed in many SUBNETS", A states "Check that the NACL is attached to the logging service SUBNET"

A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets. Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service subnets running on EC2 instances. C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets.

It seems B & D for me. I need to revisit this question again !

From this resource https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#client-ip-preservation: "Client IP preservation has no effect on AWS PrivateLink traffic. The source IP of the AWS PrivateLink traffic is always the private IP address of the Network Load Balancer." ... hence the answer is A&C

It's A C since the client of the Logging service running on EC2 is NLB

Hi guys, NLB does not do Source NAT unlike ALB, but is the correct answer still A & C?

AAA CCC --- I don't understand what NLB not having security group has to do with A/C. I'm thinking that the clients are sending traffic to the NLB (not some kind of round robin directly on the EC2 instances). The communication between NLB and EC2 instances still has to be configured. It doesn't work out of the box

A and C

I'll go with B,D

B&D. NLB is not like ALB. it just passes the traffic to EC2. EC2 needs to allow ingress from outside.