AWS Certified CloudOps Engineer – Associate

Get started today

Ultimate access to all questions.

Explanation:

The issue is likely caused by the stateless nature of Network ACLs (NACLs). \n\n* NACLs vs. Security Groups: Security groups are stateful; if you allow inbound traffic on port 80, the return traffic is automatically allowed. However, NACLs are stateless. If you allow inbound HTTP (port 80) traffic, you must also explicitly allow outbound traffic to the ephemeral ports (typically 1024-65535) that the client used to initiate the connection. \n* Troubleshooting: If the CloudOps engineer only added an inbound rule to the NACL, the response packet from the web server back to the internet user would be blocked by the NACL's default 'Deny' outbound rule. \n* Comparison: \n * Option B is incorrect because Security Groups are stateful; they don't strictly require an outbound rule for return traffic if the inbound rule matches.\n * Option C is incorrect because Elastic IPs are static and do not change unless manually released.\n * Option D is incorrect because subnets can only be associated with one NACL at a time.

Explanation:

Comments (0)

No comments yet.

Question #27\nA CloudOps engineer is creating a simple, public-facing website running on Amazon EC2. The CloudOps engineer created the EC2 instance in an existing public subnet and assigned an Elastic IP address to the instance. Next, the CloudOps engineer created and applied a new security group to the instance to allow incoming HTTP traffic from 0.0.0.0/0. Finally, the CloudOps engineer created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet.\nWhat is the cause of this issue?

Exam-Like

Last updated: May 9, 2026 at 17:24

The CloudOps engineer did not create an outbound rule that allows ephemeral port return traffic in the new network ACL.

The CloudOps engineer did not create an outbound rule in the security group that allows HTTP traffic from port 80.

The Elastic IP address assigned to the EC2 instance has changed.

There is an additional network ACL associated with the subnet that includes a rule that denies inbound HTTP traffic from port 80.