ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 236 discussion

Exam question from Amazon's AWS-SysOps
Question #: 236
Topic #: 1
[All AWS-SysOps Questions]

A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24.
The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the web server security group
(WebSecGrp)?

  • A. Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound
  • B. 80 for Destination 0.0.0.0/0 Outbound
  • C. Configure port 3306 for source 20.0.0.0/24 InBound
  • D. Configure port 80 InBound for source 20.0.0.0/16
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the public subnet can receive inbound traffic directly from the internet. Thus, the user should configure port 80 with source 0.0.0.0/0 in InBound. The user should configure that the instance in the public subnet can send traffic to the private subnet instances on the
DB port. Thus, the user should configure the DB security group of the private subnet (DbSecGrp) as the destination for port 3306 in Outbound.
by allexxf at Feb. 8, 2020, 12:48 p.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Finger41
9 months, 4 weeks ago
None of these answers are technically correct. A - SGs by default allow All outbound, so not necessary. B - SGs by default allow All outbound, so not necessary. C - More applicable for DbSecGrp. Not public IPs D - Should be port 80 Inbound for 0.0.0.0
upvoted 1 times
...
aidenpearce01
1 year, 1 month ago
SG outbound by default allow all , why need only 80 ??? If it's Inbound it's Correct
upvoted 1 times
...
TroyMcLure
1 year, 5 months ago
Correct Answer: A https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html "Outbound Rules: By default, a security group includes an outbound rule that allows all outbound traffic. We recommend that you remove this default rule and add outbound rules that allow specific outbound traffic only. ... The VPC security group must also allow outbound traffic to the security groups of the data destinations, specifically on the port or ports that the database is listening on. "
upvoted 1 times
...
Thabo_Ramoshai
1 year, 5 months ago
All answers are incorrect, remember that SG will allow outbound traffic. Answers might have been capture incorrectly. WebSecGrp ONLY requires port 80 traffic from 0.0.0.0/0 inbound
upvoted 1 times
...
ImranR
1 year, 6 months ago
A is Correct.
upvoted 3 times
...
bolijeje
1 year, 6 months ago
The answer is B. The WebServer security group is internet facing and will allow any ip (0.0.0.0/0) from port 80
upvoted 1 times
ImranR
1 year, 6 months ago
No. It's opposite....the user should configure port 80 with source 0.0.0.0/0 in InBound..
upvoted 2 times
...
...
Zia1981
1 year, 6 months ago
I think, question probably is missing Private Subnet CIDR information. If Private Subnet CIDR was 20.0.0.0/24 then WebSgr can have INBOUND rule with Source of DBSG @ port 3306. Hence, C can be a potential correct choice.
upvoted 1 times
ImranR
1 year, 6 months ago
Private Subnet CIDR information is missed intentionally to check your IQ...You can choose DBsecurityGp as destination instead of Private Subnet CIDR...So, A is correct answer...
upvoted 3 times
...
...
gretch
1 year, 6 months ago
it's A
upvoted 3 times
...
AWS_Noob
1 year, 6 months ago
B - because it will allow public access to the Websec sg only If D - that opens the SG ro the entire CIDR
upvoted 2 times
...
a_w_s
1 year, 6 months ago
B : seems the good answer.. Security Groups are statefull
upvoted 1 times
...
allexxf
1 year, 7 months ago
I think D. Not A because outgoing rules are always allowed for everyone by default and there is no point in allowing something else. In favor of D says that the server will work on port 80 (but it is not indicated who should contact it) - therefore access to port 80 must be opened at least for some one.
upvoted 4 times
awscertified
1 year, 6 months ago
agree .
upvoted 1 times
...
mvsnogueira
1 year, 6 months ago
I agree with you. I tested here and Option A didn't work
upvoted 1 times
...
shimmy
1 year, 6 months ago
You can delete the default outbound rule and add a specific outbound rule. This is actually best practice. Link: https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html
upvoted 1 times
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago