Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 291 discussion

C is right

C is correct. Reasons as below: Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened. Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic. Refer url: https://medium.com/awesome-cloud/aws-difference-between-security-groups-and-network-acls-adc632ea29ae

(A) is the answer, load balancer does not NAT by default the Source address coming from Internet, it NATs only the destination (private IP of web application) User (IP 0.0.0.0/0) Server (private IP x.x.x.x) Load Balancer (public IP y.y.y.y) the traffic flow is: 1- from user (src IP: 0.0.0.0/0 | dst IP: y.y.y.y) 2- at LB is made the NAT from (src IP: 0.0.0.0/0 | dst IP: y.y.y.y) to (src IP: 0.0.0.0/0 | dst IP: x.x.x.x) 3- at WEB server the package has the IP (src IP: 0.0.0.0/0 | dst IP: x.x.x.x)

C is correct answer

This was on my test 7/28/21 and C is correct.

Answer C Network ACL is used for VPC subnet, not instance, so D is wrong

CCCCCCCCCCCCCc

C is correct. Reason is the keywords "each resource has the least access required" and only security groups are stateful and least access required.

C is ok

C for correct

Yep C is correct. The web servers and the sql servers are all the private subnet and should not have direct internet access.

Ans=A. Create a security group for the web servers and allow port 443 from 0.0.0.0/0. Create a security group for the MySQL servers and allow port 3306 from the web servers security group.

C 100%

You can’t have the LB as the source but you can have its SG as the source, if you have to specify IP address, range or prefix

CCCCCCCCCCC

C is correct

It is C