Answer-first summary for fast verification
Answer: The CloudOps engineer did not create an outbound rule that allows ephemeral port return traffic in the new network ACL.
Network ACLs are stateless, which means that return traffic must be explicitly allowed by rules. If inbound HTTP traffic is allowed, an outbound rule must also be created in the network ACL to allow response traffic on ephemeral ports back to the client. Security groups are stateful and would automatically allow the return traffic.
Author: Ritesh Yadav
Ultimate access to all questions.
Question #27
A CloudOps engineer is creating a simple, public-facing website running on Amazon EC2. The CloudOps engineer created the EC2 instance in an existing public subnet and assigned an Elastic IP address to the instance. Next, the CloudOps engineer created and applied a new security group to the instance to allow incoming HTTP traffic from 0.0.0.0/0. Finally, the CloudOps engineer created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet.
What is the cause of this issue?
A
The CloudOps engineer did not create an outbound rule that allows ephemeral port return traffic in the new network ACL.
B
The CloudOps engineer did not create an outbound rule in the security group that allows HTTP traffic from port 80.
C
The Elastic IP address assigned to the EC2 instance has changed.
D
There is an additional network ACL associated with the subnet that includes a rule that denies inbound HTTP traffic from port 80.
No comments yet.