ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 619 discussion

Exam question from Amazon's AWS-SysOps
Question #: 619
Topic #: 1
[All AWS-SysOps Questions]

An HTTP web application is launched on Amazon EC2 instances behind an ELB Application Load Balancer. The EC2 instances run across multiple Availability
Zones. A network ACL and a security group for the load balancer and EC2 instances allow inbound traffic on port 80. After launch, the website cannot be reached over the internet.
What additional step should be taken?

  • A. Add a rule to the security group allowing outbound traffic on port 80.
  • B. Add a rule to the network ACL allowing outbound traffic on port 80.
  • C. Add a rule to the security group allowing outbound traffic on ports 1024 through 65535.
  • D. Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by saumenP at Oct. 23, 2019, 12:16 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
chris82
Highly Voted 2 years, 7 months ago
ACL outboud rules filters based on port/subnet destination not source. I would say that D is corect since the packets are generated with ephemeral ports: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
upvoted 19 times
AWSum1
2 years, 7 months ago
I was convinced that the answer was B. Great explanation in the link you have given. Thanks mate
upvoted 1 times
shimmy
2 years, 6 months ago
No B is the right answer. Ephemeral ports are allowed INBOUND but the answer choices all say OUTBOUND. The question also never says that we have already allowed HTTP outbound on the NACL. It only mentions inbound as well but if we never allow OUTBOUND then the inbound rules do not matter.
upvoted 2 times
Cyril_the_Squirl
2 years, 6 months ago
A client outside initiates connection to your EC2 inside your VPC. Outside client uses ephemeral ports as their source...and they use the HTTP port 80 and their destination. Port 80 is open Inbound, therefore ephemeral ports must be open outbound in order for your server to return the requests back to the client. If not default VPC, You use NACL to open ephemeral ports Check this: https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/
upvoted 1 times
...
Drey
2 years, 6 months ago
security groups are stateless i think
upvoted 1 times
...
...
...
...
RGT
Highly Voted 2 years, 7 months ago
agreed is D https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/
upvoted 12 times
Ka
2 years, 7 months ago
Thanks after reviewing the link I would say D is correct.
upvoted 1 times
...
...
albert_kuo
Most Recent 10 months ago
Selected Answer: B
Network ACLs control inbound and outbound traffic at the subnet level. In this scenario, if the network ACL is not configured to allow outbound traffic on port 80, the responses from the EC2 instances to the clients will be blocked, preventing the web application from being reached over the internet.
upvoted 1 times
albert_kuo
6 months ago
Change to D
upvoted 1 times
...
...
abhishek_m_86
2 years, 6 months ago
D. Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535. Seem correct
upvoted 2 times
...
Chirantan
2 years, 6 months ago
D is correct A NAT gateway uses ports 1024-65535. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports
upvoted 3 times
...
Radhaghosh
2 years, 6 months ago
Correct answer is D. Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535.
upvoted 1 times
...
jackdryan
2 years, 6 months ago
I'll go with D
upvoted 1 times
...
wini1
2 years, 6 months ago
Answer D, tested this scenario
upvoted 1 times
...
MFDOOM
2 years, 6 months ago
D. Add a rule to the network ACL allowing outbound traffic on ports 1024 through 65535.
upvoted 1 times
...
gilbertlelancelo
2 years, 6 months ago
Ans D. NACL must also have an inbound rule allowing requests on port 80. However, due to the stateless nature of Network ACLs, it must also have an explicit rule for the response back to you on your ephemeral port between 1024 and 65535. https://alliescomputing.com/knowledge-base/how-to-handle-ephemeral-ports-in-security-groups-and-network-acls
upvoted 4 times
...
jpush
2 years, 6 months ago
Requests originating from Elastic Load Balancing use ports 1024-65535. ANswer is D
upvoted 2 times
...
waterzhong
2 years, 6 months ago
it is D
upvoted 1 times
...
Pirulou
2 years, 6 months ago
D. is correct, request must be by TCP 80 but response over 1024-65535 TCP ports
upvoted 1 times
...
tifoz
2 years, 6 months ago
Yes, it is D. You need to allow HTTP server to response on clients request. http://www.tcpipguide.com/free/diagrams/portsclientserver.png
upvoted 1 times
...
asim1982
2 years, 6 months ago
D is correct, Return traffic will always be on random epherimal ports and not exactly on incoming port, Here port 80 HTTP is allow inbound, return traffic will choose random port, so that needs to be allowed in NACL because of its stateless nature, Hence D is 100% correct. Let me know if anyone think otherwise :)
upvoted 2 times
...
shammous
2 years, 6 months ago
B is correct as we need to explicitly allow outbound traffic on port 80 in NACL. We don’t need to allow ephemeral ports as we only need port 80 in our case.
upvoted 1 times
...
KhatriRocks
2 years, 6 months ago
I'll go with D based on the https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/
upvoted 1 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago