ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 235 discussion

Exam question from Amazon's ANS-C00
Question #: 235
Topic #: 1
[All ANS-C00 Questions]

Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot. You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway.
What configuration change should you make to ensure that these instances can reach the patch server?

  • A. Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway.
  • B. Configure an outbound rule on the application server instance security group for the Git repository.
  • C. Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
  • D. Configure an inbound rule on the application server instance security group for the Git repository.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
The traffic leaves the instance destined for the Git repository; at this point, the security group must allow it through. The route then directs that traffic (based on the
IP) to the NAT gateway. A is wrong because it removes the private aspect of the subnet and would have no effect on the blocked traffic anyway. C is wrong because the problem is that outgoing traffic is not getting to the NAT gateway. D is wrong because to allow outgoing traffic to the Git repository requires an outgoing security group rule.
by doski at Jan. 2, 2021, 6:59 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AleZ67
2 years, 11 months ago
D By default, new security groups start with only an outbound rule that allows all traffic to leave the resource. You must add rules to enable any inbound traffic or to restrict the outbound traffic. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html
upvoted 1 times
...
walkwolf3
3 years, 7 months ago
B The answer's explanation is very clear.
upvoted 2 times
...
wahlbergusa
3 years, 7 months ago
Key statement in the question : "The security group for your application server instances permits all traffic to the NAT gateway" (obviously horrible nature of the wording of the people who prepares these questions is still there but... :) ) Statement up above means that the outbound rule in the security group, to which the app server instances are associated with, only allows traffic to the NAT Gateway itself. This is not a route entry guys. This means, Source IPENI : Appserver , Destination IP/ENI : NAT Gateway, is allowed in the current security group. Hence you definitely need to add another rule to the security group of app server instances and that rule should allow traffic to the Destination : Git Repo.
upvoted 1 times
...
StelSen
3 years, 7 months ago
For this Question I chose the elimination method. I eliminate A, C, D due to various reasons mentioned in the thread. Left over is Choice B. :-) In a real life I will have more cleared problem statement. For exam its ok.
upvoted 1 times
...
Huy
3 years, 7 months ago
B is correct. A & D are clearly wrong. C is wrong because they said NAT Gateway can reach the Git repo therefore NACL in the public subnet is OK.
upvoted 1 times
...
ChauPhan
3 years, 7 months ago
B and D are OK. Why? From server to Git repository is HTTPS or SSH, always requires TCP handshakes on both way and security group is stateful. Once you add rule in either inbound or outbound, the remain way is auto-allowed. So why only D is correct? :)
upvoted 1 times
student2020
3 years, 7 months ago
Github does not initiate traffic to the instance, so an inbound rule in SG is not required. With SGs, its always about where the traffic is initiated from.
upvoted 3 times
...
ChauPhan
3 years, 7 months ago
Rethink, D. Configure an inbound rule on the application server instance security group for the Git repository. When inbound for SG is configured, no need outbound as it is stateful
upvoted 1 times
...
...
eeghai7thioyaiR4
3 years, 7 months ago
Ans: B The phrase "The security group for your application server instances permits all traffic to the NAT gateway." means nothing Your application instance does not connect to the NAT gateway, so adding an ALLOW FROM <instance> TO <nat gateway> is useless What must be done: adding a ALLOW FROM <instance> TO <git repo> (using the proper IP information and possibly TCP if you want) Our instance does not connect to the nat gateway, the flow passes through
upvoted 1 times
eeghai7thioyaiR4
3 years, 7 months ago
To be clearer: you never adds an ALLOW rule between an instance and an internet gateway
upvoted 1 times
...
...
awspro2021
3 years, 8 months ago
B - The traffic leaves the instance destined for the Git repository; at this point, the security group must allow it through. The route then directs that traffic (based on the IP) to the NAT gateway. A is wrong because it removes the private aspect of the subnet and would have no effect on the blocked traffic anyway. C is wrong because the problem is that outgoing traffic is not getting to the NAT gateway. D is wrong because to allow outgoing traffic to the Git repository requires an outgoing security group rule.
upvoted 3 times
Huy
3 years, 7 months ago
C is wrong because they said NAT Gateway can reach the Git repo therefore NACL in the public subnet is OK. Don't assume question only ask for outgoing traffic.
upvoted 1 times
...
...
Huntkey
3 years, 8 months ago
It says the SG already "permits all traffic to NAT gateway" and I guess it is different than permitting traffic to GIT through the NAT gateway. I think B makes sense. C is completely wrong though.
upvoted 1 times
...
JamesTR
3 years, 8 months ago
None of the answers is correct. There must be something messed up with NACL, so C is the closest answer.
upvoted 1 times
JamesTR
3 years, 7 months ago
I am retiring what I wrote above. B is correct
upvoted 1 times
...
...
Ganfeng
3 years, 8 months ago
the question already mentioned that "The security group for your application server instances permits all traffic to the NAT gateway."?
upvoted 1 times
...
doski
3 years, 8 months ago
C looks more like the answer
upvoted 4 times
JamesTR
3 years, 7 months ago
Can not be C 1. Traffic is initiated from AWS and SG will allow return traffic automatically. 2. If you allow inbound on NACL you will have to allow all IPs outbound as well.
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel