Practice Test 2 | AWS Certified Solutions Architect Associate | SAA-C03 | Dumps | Mock Test
An instance is launched into a VPC subnet with the network ACL configured to allow all outbound traffic and deny all inbound traffic. The instance’s security group is configured to allow SSH from any IP address. What changes need to be made to allow SSH access to the instance?
A. The Outbound Security Group needs to be modified to allow outbound traffic.
B. The Inbound Network ACL needs to be modified to allow inbound traffic
C. Nothing, it can be accessed from any IP address using SSH.
D. Both the Outbound Security Group and Outbound Network ACL need to be modified toallow outbound traffic.
Explanation:
Answer – B
For an EC2 Instance to allow SSH, you can have the below configurations for the Security and Network ACL for Inbound and Outbound Traffic.
The reason why Network ACL has to have both an Allow for Inbound and Outbound is because network ACLs are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Whereas for Security groups, responses are stateful. So if an incoming request is granted, by default an outgoing request will also be granted.
- Options A and D are invalid because Security Groups are stateful. Here, any traffic allowed in the Inbound rule is allowed in the Outbound rule too. Option C is incorrect.
- For more information on Network ACLs, please refer to the link below.
Comments are closed, but trackbacks and pingbacks are open.