Virtual Private Cloud Quiz
An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?
A. The Outbound Security Group needs to be modified to allow outbound traffic.
B. The Outbound Network ACL needs to be modified to allow outbound traffic.
C. Nothing, it can be accessed from any IP address using SSH.
D. Both the Outbound Security Group and Outbound Network ACL need to be modified toallow outbound traffic.
B. The Outbound Network ACL needs to be modified to allow outbound traffic.
For an EC2 Instance to allow SSH, you can have the below configurations for the Security and Network ACL for Inbound and Outbound Traffic.The reason why Network ACL has to have both an Allow for Inbound and Outbound is because network ACLs are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Whereas for Security groups, responses are stateful. So if an incoming request is granted, by default an outgoing request will also be granted.Options A and D are invalid because Security Groups are stateful. Here, any traffic allowed in the Inbound rule is allowed in the Outbound rule too. Option C is in. For more information on Network ACLs,
please refer to the link below.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
