Answer-first summary for fast verification
Answer: An outbound rule must be added to the Network ACL (NACL) to allow the response to be sent to the client on the ephemeral port range
An outbound rule must be added to the Network ACL (NACL) to allow the response to be sent to the client on the ephemeral port range Security groups are stateful, so allowing inbound traffic to the necessary ports enables the connection. Network ACLs are stateless, so you must allow both inbound and outbound traffic. By default, each custom Network ACL denies all inbound and outbound traffic until you add rules. To enable the connection to a service running on an instance, the associated network ACL must allow both: 1. Inbound traffic on the port that the service is listening on 2. Outbound traffic to ephemeral ports When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port. The designated ephemeral port becomes the destination port for return traffic from the service. Outbound traffic to the ephemeral port must be allowed in the network ACL. Incorrect options: The configuration is complete on the EC2 instance for accepting and responding to requests - As explained above, this is an incorrect statement. An outbound rule on the security group has to be configured, to allow the response to be sent to the client on the HTTP port - Security groups are stateful. Therefore you don't need a rule that allows responses to inbound traffic.
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A junior developer has been tasked with setting up access to an Amazon EC2 instance that is running a web application. The developer has created a new security group that allows incoming HTTP traffic from any IP address (0.0.0.0/0) and has kept the default rules for outgoing traffic unchanged. Additionally, a custom Network Access Control List (NACL) associated with the EC2 instance's subnet has been configured to allow incoming HTTP traffic from any IP address (0.0.0.0/0) and has retained the default outbound rules.
Given this setup, which solution would you recommend to ensure that the EC2 instance can both accept and respond to requests from the internet?
A
An outbound rule must be added to the Network ACL (NACL) to allow the response to be sent to the client on the ephemeral port range
B
An outbound rule on the security group has to be configured, to allow the response to be sent to the client on the HTTP port
C
The configuration is complete on the EC2 instance for accepting and responding to requests
D
Outbound rules need to be configured both on the security group and on the NACL for sending responses to the Internet Gateway