ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS Certified Solutions Architect - Associate SAA-C02 All Questions

View all questions & answers for the AWS Certified Solutions Architect - Associate SAA-C02 exam
Go to Exam

Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 430 discussion

Exam question from Amazon's AWS Certified Solutions Architect - Associate SAA-C02
Question #: 430
Topic #: 1
[All AWS Certified Solutions Architect - Associate SAA-C02 Questions]

A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon
EC2 instance in a public subnet of a VPC. A solutions architect needs to connect from the on-premises network, through the company's internet connection, to the bastion host, and to the application servers. The solutions architect must make sure that the security groups of all the EC2 instances will allow that access.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)

  • A. Replace the current security group of the bastion host with one that only allows inbound access from the application instances.
  • B. Replace the current security group of the bastion host with one that only allows inbound access from the internal IP range for the company.
  • C. Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company.
  • D. Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host.
  • E. Replace the current security group of the application instances with one that allows inbound SSH access from only the public IP address of the bastion host.
Show Suggested Answer Hide Answer
Suggested Answer: AC 🗳️
by jkwek at May 1, 2021, 8:15 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
lovelyone
Highly Voted 3 years, 8 months ago
the answer is C & D because: According to D our connection from the company to the application cant be directly. You must first connect to the bastion, & then connect to the application server. The bastion server is on the same VPC that already routing there is no logic to connect via external IP while you are in the local VPC.
upvoted 61 times
crazyaboutazure
3 years, 8 months ago
must be C & E as Bastion host is an instance that is provisioned with a public IP address and can be accessed via SSH.
upvoted 4 times
theCreatorSD
3 years, 7 months ago
provisioned in a public subnet and it would have public and private ip both. And it would use private IP to connect to application server which is in a private subnet. Why do you think that the bastion server would use private ip to connect to instance in AWS?
upvoted 1 times
...
DS01
3 years, 7 months ago
Test the internet connection The following example demonstrates how to test whether an instance in a private subnet can connect to the internet. Launch an instance in your public subnet (use this as a bastion host). For more information, see Launch an instance into your subnet. In the launch wizard, ensure that you select an Amazon Linux AMI, and assign a public IP address to your instance. Ensure that your security group rules allow inbound SSH traffic from the range of IP addresses for your local network, and outbound SSH traffic to the IP address range of your private subnet (you can also use 0.0.0.0/0 for both inbound and outbound SSH traffic for this test). Launch an instance in your private subnet. In the launch wizard, ensure that you select an Amazon Linux AMI. Do not assign a public IP address to your instance. Ensure that your security group rules allow inbound SSH traffic from the private IP address of your instance that you launched in the public subnet, and all outbound ICMP traffic. You must choose the same key pair that you used to launch your instance in the public subnet. Answer is A nnd C
upvoted 1 times
DS01
3 years, 7 months ago
Sorry for the typo Answer is C and D
upvoted 3 times
...
...
...
Rajjay
3 years, 6 months ago
Guys - The answer is C & D. Here is the link to prove it: https://digitalcloud.training/ssh-into-ec2-in-private-subnet/ prove me wrong.
upvoted 3 times
...
swadeey
3 years, 7 months ago
Seems to be right. A will not help as it is opposite of what we need. We need outboud ssh access from bastion B. Internal IP range will only help if we have VPN access. C. Makes sense " needs to connect from the on-premises network, through the companyג€™s internet connection, to the bastion host, and to the application servers." D. Makes sense, once you are on Bastion host, you can use that hosts private IP to connect to application server.. E. Public IP address is for outside connections. Best practice will be B and D but here B is not applicable. This seems like we creating free tier and connecting to Bastion host using public IP from our laptops while we learn and the testing further with private subnet EC2
upvoted 5 times
swadeey
3 years, 7 months ago
Point A more clarifying: We need outboud ssh access from bastion to Application So connection is. Laptop in companys permises using internet -going to- Bastion host over public IP -going to- Application EC2
upvoted 1 times
...
...
...
jkwek
Highly Voted 3 years, 8 months ago
Correction to earlier typo mistakes Answers are C and E. What is the difference between an Internal and External IP address? Reason for answer C: Your internal IP address is for your local network only, it exists so that your router (the device connecting you to the internet) can tell the difference between your computer, your cell phone, a printer, or other devices are while they are connected to it, while your external IP address is the IP address of your router, this is what websites see when you are browsing the web. Reason for E: https://aws.amazon.com/quickstart/architecture/linux-bastion/ Between apps servers and bastion host which should be in public subnet, external ip range will be used.
upvoted 14 times
batchi_dz
3 years, 7 months ago
Bastion Instances (EC2) in Public subnet have private Addresses which can be white listed to reach the private subnets. So the Answer is D
upvoted 3 times
...
robertomartinez
3 years, 8 months ago
E makes no sense at all (basic networking)
upvoted 5 times
...
swadeey
3 years, 7 months ago
Each instance in public subnet will have two IP's public and private. For communication to internal components you will use private IP. E is not helping the cause
upvoted 2 times
...
...
jw1806
Most Recent 2 years, 8 months ago
Selected Answer: BD
internal ip from the company makes sense, so B, not c
upvoted 1 times
...
Karthikeyan_nick
3 years, 1 month ago
C & D - Allow On-prem External IP traffic to only bastion host and Allow only bastion host private IP traffic to application instances
upvoted 2 times
...
mandycad
3 years, 3 months ago
chxzqw you are right. Answer is A. The reason is Security groups are Stateful, that means any inbound traffic from application instances are by default allowed outbound to go back to Application instance. And answer C is for obvious reason. This question is more about testing security group property “Stateful”
upvoted 1 times
...
osel
3 years, 4 months ago
I opt for C+D. The traffic flow: On-Prem Client -> Internet -> PublicSubnet Bastion Host EC2 -> PrivateSubnet AppSvr EC2.
upvoted 1 times
...
FF11
3 years, 5 months ago
Selected Answer: CD
C&D are correct
upvoted 1 times
...
FF11
3 years, 5 months ago
C & D are correct
upvoted 1 times
...
Sharan_25_v
3 years, 5 months ago
Has to be C and D
upvoted 1 times
...
Spacer
3 years, 6 months ago
Both D and E are not good. The application sg should allow bastion host sg. If let me select one. I would go E.
upvoted 1 times
...
Phyo007
3 years, 6 months ago
I just wonder how anyone earth is stupid enough to give 'A' in this dump ? LOL
upvoted 1 times
...
georgebab
3 years, 7 months ago
HELP: I'm confused a little bit. The questions says: A solutions architect needs to connect from the on-premises network, through the company’s internet connection, to the bastion host, and to the application servers. Why C&D and not B&D. The reason I'm asking is because it is mentioned in the question that "...needs to connect from the on-premises network, through the company’s internet connection, to the bastion host.. " which from my understanding means that you need to connect to the bastion through the INTERNAL IP range (B), and I don't understand why needs to be allowed EXTERNAL IP range (C)
upvoted 1 times
peterhawk
3 years, 6 months ago
It says explicitly that the connection is through the internet. There is no information, the company internal network is connected through VPN or othe Site-to-site connection.
upvoted 1 times
...
...
5868656e
3 years, 7 months ago
Please admin edit the test to show the correct answers C and D in the test, then remove this comment.
upvoted 1 times
...
lalia
3 years, 7 months ago
C, D https://digitalcloud.training/ssh-into-ec2-in-private-subnet/
upvoted 3 times
...
Xfo
3 years, 7 months ago
Answer are C and E. When we are doing SSH into our EC2 machines, we can’t use a private IP, because we are not in the "same network". Remenber Bastion is in public and EC2 are in the private with different CIDR. We can only use the public IP.
upvoted 2 times
batchi_dz
3 years, 7 months ago
No! VPC has its own router and you can reach your aws ressources from either private or public subnet because there is the default target :local that you can also update as well. Every subnet that you create is automatically associated with the main route table for the VPC. Your VPC has an implicit router, and you use route tables to control where network traffic is directed Have a look at this: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
upvoted 3 times
...
...
olumba
3 years, 7 months ago
I am a network guy. This is C &D. You only whitelist the External(outside) IP of your firewall to access a bastion host. Also different companies can use the same private IP as it is not routed to the internet.
upvoted 12 times
...
charlpl
3 years, 7 months ago
C and E for me. C because you will see the Public NAT address of the company. E because the bastion is not dual homed. Only 1 IP public
upvoted 1 times
Twinkie
3 years, 7 months ago
This is not true. Bastion Hosts happen to be just regular EC2 instances where you have enable SSH on port 22 from a public IP range. They do have both public and internal IP as any other EC2 instance. And just like any other EC2 instance use their private IP within a VPC to configure traffic routes and security rules.
upvoted 3 times
...
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel