A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?
A.
The user can connect to a instance in a private subnet using the NAT instance
B.
The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
C.
Allow Inbound traffic on port 22 from the user's network
D.
Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet
Suggested Answer:C🗳️
The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, the user can setup a case with a VPN only subnet (private) which uses VPN access to connect with his data centre. When the user has configured this setup with Wizard, all network connections to the instances in the subnet will come from his data centre. The user has to configure the security group of the private subnet which allows the inbound traffic on SSH (port 22) from the data centre's network range. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html
Answer:C
A is out since NAT instance for outbound traffic
B is out since there is no IGW deployed
D is out since traffic from internet can't reach the instance and port 80 is not relevant here
Ans C.
{
- The question is about rule, not solution
- If It's B then we need restrict IP access and configure SecG in bastion host -> B is not enough
}
We have only private subnet
A: NAT instance requires a public subnet
B: bastion - again requires public subnet
C: Rule - allowing for ssh
D: Rule - allowing for ssh, http and allow access from internet
A, B and D are NOK, we dont have public subnet
--> C (and maybe using of a VPN cnx)
Infact, question is not clearly so I think It's not about connection model
Wait a minute .. that would need the internal IP to be trusted, not the elastic IP
So B is false
C is OK, but how would that VPN be UP from a private subnet ?
A is OK, but again, how would that "NAT instance (?!)" be connected to internet ?
I don't know
The subnets in that VPC are announced by VGW through that VPN (either as static or BGP routes) . When someone calls it a "private" subnet that does not mean anything in terms of routing, it will still be announced by VGW of that VPC. Private term comes from the fact that the subnet' s route table does not have a default route and it does not have direct connectivity to internet. So the traffic from on prem will get to the VPC through the VPN connection and the EC2 instance should have an inbound rule which allows traffic to destination port 22. Answer is C.
upvoted 4 times
...
...
...
...
This section is not available anymore. Please use the main Exam Page.ANS-C00 Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
ErnstVonPappen
2 years, 6 months agoclooudy
3 years agoptpho
3 years, 7 months agoptpho
3 years, 7 months agoChauPhan
3 years, 8 months agoeeghai7thioyaiR4
3 years, 8 months agoeeghai7thioyaiR4
3 years, 8 months agoChauPhan
3 years, 8 months agowahlbergusa
3 years, 7 months ago