The issue would not be nat related so eliminate A and E . Problem is inbound so eliminate C. This leaves B and D.

B & D are correct answers

BD are the correct answers here.

B,C,D could all be true but based on the context of the question we can eliminate "C" (with some basic assumptions) "This single web server is not receiving inbound connections from the internet, whereas all other web servers are functioning properly." This means there are also alot of EC2s behind the loadbalancer. They are probably residing on the same subnet (It would be really weird if all EC2s were on subnet A and our single EC2 would be on subnet B) (Or if all EC2 instances were on a different subnet) Since a route table is associated with a subnet if it was configured incorrectly > We would have problems on multiple EC2 instances for the return traffic. So answer C can be eliminated, but anyone whos saying the reason is that its OUTBOUND traffic has clearly no idear how networking works (Even if a HTTP(s) connection comes in our EC2 server would need to respond to it for it to be a complete connection)

Guys, B and D are the correct answers. Keep in mind that partial credit is not awarded for multiple-response questions (ref: https://aws.amazon.com/certification/policies/before-testing/) i.e. you have to select both B and D to get any marks awarded.

C,D C --- It is required Routing Table., so verfification required. B ---- The Security Engineer has verified the following: 1. The rule set in the Security Groups is correct

ACE answers will affect the whole subnet and every workload running there. So logically A&C remained.

B - Confirm security group is actually attached to teh instance, if every other server is working fine... D - If every server is working fine, must be something instance specific, likely not attached to the ALB via a target group.

is not accepting incoming connections from the internet, The problem has to to wqith ingress connectiions AEC out

B & D, D is pretty obvius and the discussion is focused in B or C and the key here is the wording as usual, although it's said "The rule set in the Security Groups is correct" the option C mentions "Verify WHICH Security Group is applied to the particular web serverג€™s elastic network interface (ENI).", so WHICHis the word because although sg rules are correct, not necessarely can be assigned to web server ENI.

B. Verify which Security Group is applied to the particular web serverג€™s elastic network interface (ENI). D. Verify the registered targets in the ALB.

I would select options C & D. Because unless you explicitly configure the instances to route traffic via the security appliance it won't do by itself. the question says the it must traverse via the virtual security appliance.

* The question stipulates that the security group are ok (1) --> B is eliminated * The NAT is outbound user control traffic not inbound as the question specified --> A & E discarded * For the 2 choices, we have C and D which seem normal as: 1) if that particular was not properly registered with the target it will not receive inbound traffic; 2) If the web server subnet associated route table is not pointing to the virtual security appliance it won't recive traffic. So, we can safely say C & D are the correct answers.

B & D is correct why? if relevant to routing (0/0), then all server must affect -> A, C, E is wrong if relate to inbound connectivity -> NAT gateway is not relevant -> A, E is wrong.

Anyone can explain why, besides re-stating the same ? Can't picture what is connected to what: - without an exhibit this is a cruel Q.

Ans: BD

Ans > B,D