ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam ANS-C00 All Questions

View all questions & answers for the ANS-C00 exam
Go to Exam

Exam ANS-C00 topic 1 question 162 discussion

Exam question from Amazon's ANS-C00
Question #: 162
Topic #: 1
[All ANS-C00 Questions]

Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having public IPv6 addresses attached to instances in a public network. They currently use a NAT to allow outbound traffic for instances. Outbound traffic is required for updates. What are two options to alleviate your company's concerns? (Choose two.)

  • A. Remove any rules allowing ::/0 inbound in the security group.
  • B. Block ::/0 inbound in the NACL.
  • C. Create an egress-only internet gateway.
  • D. Block 0.0.0.0/0 inbound in the NACL.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
0.0.0.0/0 will only block IPv4, blocking ::/0 in the NACL will prevent return traffic and updates to the instances. An egress-only internet gateway or blocking ::/0 inbound in the security group will allow the instances to initiate outbound connections and receive the return traffic, while still preventing outside attackers from initiating connections to the instances.
by eeghai7thioyaiR4 at March 16, 2021, 12:29 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
walkwolf3
Highly Voted 3 years, 7 months ago
AC Since NACL is stateless, if you select B. Block ::/0 inbound in the NACL. the returned outbound traffic of IPv6 will be blocked.
upvoted 7 times
...
Huy
Most Recent 3 years, 7 months ago
A and C. If you Block ::/0 that means no IPV6 traffic can reach your instance. Regarding security, we should not allow IPV6 from anywhere to access the instances. Just open for identified IPs.
upvoted 4 times
...
ChauPhan
3 years, 8 months ago
B and C
upvoted 1 times
ChauPhan
3 years, 8 months ago
NAT does not support IPv6, you need egress-only internet gateway. SG is need to assign to specific instances (EC2, etc ). To set for whole VPC, we can use NACL.
upvoted 1 times
ptpho
3 years, 7 months ago
So when we update then SecG allow out/in + Nacl allow out -> destination reached -> respond -> Nacl block in (return traffic) Then the update will be failed. -> I think ans are A n C
upvoted 1 times
...
StelSen
3 years, 7 months ago
So, when an Instance made an egress request it has to come back via ephermal ports and NACL should allow inbound ::/0 right? So, I feel A&C are right?
upvoted 2 times
...
...
...
Ishu_awsguy
3 years, 8 months ago
B and C
upvoted 1 times
...
NSF2
3 years, 8 months ago
Why not BC You can use NACL to block incoming ::/0
upvoted 1 times
pfilourenco
3 years, 7 months ago
blocking ::/0 in the NACL will prevent return traffic and updates to the instances.
upvoted 1 times
...
...
eeghai7thioyaiR4
3 years, 8 months ago
A and C will work
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel