Answer-first summary for fast verification
Answer: Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0., Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0.
## Explanation To make the web server accessible on port 443, we need to address both **Security Groups** and **Network ACLs**: ### 1. **Security Group (Option A)** - Security groups act as stateful firewalls at the instance level - Since the default security group is currently assigned (which by default allows all outbound traffic but no inbound traffic), we need to create a new security group with an inbound rule allowing TCP port 443 from anywhere (0.0.0.0/0) - Option A correctly creates this rule - Option B is incorrect because security group rules specify source, not destination ### 2. **Network ACL (Option E)** - Network ACLs act as stateless firewalls at the subnet level - Since the default network ACL has been modified to block all traffic, we need to add specific rules: - **Inbound**: Allow TCP port 443 from source 0.0.0.0/0 (for incoming HTTPS requests) - **Outbound**: Allow ephemeral ports 32768-65535 to destination 0.0.0.0/0 (for response traffic) - Option E correctly specifies both inbound and outbound rules with the proper ephemeral port range - Option C is incomplete because it only addresses inbound traffic without considering outbound responses - Option D is incorrect because it suggests allowing outbound traffic on port 443, but responses use ephemeral ports, not port 443 ### Why the other options are incorrect: - **Option B**: Security group rules use source addresses, not destination addresses - **Option C**: Only addresses inbound traffic; responses would be blocked by the network ACL - **Option D**: Incorrectly specifies outbound traffic on port 443; responses use ephemeral ports ### Key AWS Concepts: - **Security Groups**: Stateful - return traffic is automatically allowed - **Network ACLs**: Stateless - both inbound and outbound rules must be explicitly configured - **Ephemeral Ports**: TCP/IP uses ephemeral ports (32768-65535) for client-side connections in response traffic
Author: LeetQuiz Editorial Team
Ultimate access to all questions.
No comments yet.
A company has a web server running on an Amazon EC2 instance in a public subnet with an Elastic IP address. The default security group is assigned to the EC2 instance. The default network ACL has been modified to block all traffic. A solutions architect needs to make the web server accessible from everywhere on port 443.
Which combination of steps will accomplish this task? (Choose two.)
A
Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0.
B
Create a security group with a rule to allow TCP port 443 to destination 0.0.0.0/0.
C
Update the network ACL to allow TCP port 443 from source 0.0.0.0/0.
D
Update the network ACL to allow inbound/outbound TCP port 443 from source 0.0.0.0/0 and to destination 0.0.0.0/0.
E
Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0.