ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 196 discussion

Exam question from Amazon's ANS-C00
Question #: 196
Topic #: 1
[All ANS-C00 Questions]

To allow all traffic to access an instance in "Subnet 1" that uses "Security Group 1", what two options need to be configured? (Choose two.)

  • A. NACL rule allowing 0.0.0.0/0 to access "Subnet 1"
  • B. Security Group rule in "Security Group 1" that allows 0.0.0.0/0 inbound
  • C. Security Group rule in "Security Group 1" that allows outbound traffic to 0.0.0.0/0
  • D. NACL rule allowing 0.0.0.0/0 to access "Security Group 1"
Show Suggested Answer Hide Answer
Suggested Answer: AB 🗳️
You must allow traffic through the NACL and through the Security Group to access the instance. If there is not an Outbound allow setup in the NACL, you may need to set that, but an outbound rule for Security Group 1 is not necessary as security groups are stateful.
by VEV at Jan. 26, 2021, 5:47 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
ChauPhan
Highly Voted 3 years, 7 months ago
A. NACL rule allowing 0.0.0.0/0 to access "Subnet 1" B. Security Group rule in "Security Group 1" that allows 0.0.0.0/0 inbound
upvoted 9 times
...
bp339
Most Recent 3 years, 2 months ago
Selected Answer: AB
Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules. So C is not right. AB are the answers
upvoted 1 times
...
cidd04
3 years, 7 months ago
AB. C does not "need to be configured". By default, new security groups start with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#CreatingSecurityGroups
upvoted 2 times
...
JamesTR
3 years, 8 months ago
C is a correct answer and A is the best answer between remaining three answers. When allowing traffic on NACL one must remember to allow returning traffic on ports 1024 to 65535. (NACL is not state full)
upvoted 2 times
...
VEV
3 years, 8 months ago
AC. Can someone explain why C is not correct? Since SG are stateful, you cannot deny the incoming traffic but we can allow which is by creating outbound rule.. I may be wrong but happy to correct
upvoted 1 times
ptpho
3 years, 7 months ago
all traffic to access an instance -> instance is destination
upvoted 2 times
...
JamesTR
3 years, 8 months ago
C is not correct because it is not necessary. Security Groups are statefull, so returning traffic will be automatically allowed.
upvoted 5 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel