Exam ANS-C00 topic 1 question 7 discussion

C - you cannot use NACL as ELB does not have fixed IP. Also there is no "ELB servers"

Not sure why there are different responses to this. Answer is already given in the question itself. "incorrectly configured sites are causing a single application server to degrade", if a server is behind an ELB, yet this server is getting direct requests - which indicates the rogues website are sending traffic directly to degraded server = this server has a public IP. The cause is being able to communicate with the degraded server directly. Force the traffic via ELB. A - nope. B - secondary config, does not resolve issue. D - terminating still means the issue can reappear. If the ASG assigns a public IP to each instance, if I were to misconfigure websites for each of the 4 servers IPs, by-passing the ELB, I could get 4 degraded servers. D is wrong. Answer is C. Forcing traffic via SG config means even if the EC2 instances has public IPs, the SG would drop the traffic as HTTP 80 is only allowed via ELB.

This is what the udemy exam says

Correct Answer D

Answer:C Can't use NACL since its stateless and require a outbound rule also

C, "incorrectly configured sites are causing a single application server to degrade" this is a self explanatory statement that the Server should only allow the Web Traffic from ELB only. As per the AWS Best practice Answer is C. D is not 100% secure answer.

It seems the ASG is assigning public IP address to the instance which has been somehow gotten hold of and being accesses directly. If you terminate and let auto scaling create a new instance it will get a new public IP and the client has no way of knowing it. Hence stick with D.

Agree with C. In this situation, IT guy might route the clients app from one or some offices directly to web service instead of ELB IP address. So C. Configure the application servers SG only accept the connection with port 80 from ELB is correct. It will block all other traffic from another source IP, in this case from client applications. Then avoid such issue.

I will go with B A - It doesn't prevent future occurrence as new client sites again follow wrong settings and cause another machine to go down. B - Once NACL is applied on subnet level, no need to update it for new instances. Hence, best solution in this case. C - Somewhat correct. But autoscaling is configured and hence, we will get new instances if required, in that case, SG has to be updated manually on new instances. SG - Tied to an instance D - It doesn't prevent future occurrences as A

and prevent future occurrences is the key phrase. D would allow for the issue to occur again C would prevent future issues from occurring Answer C

f its an internet facing ALB and sits in public subnet (bastion host existence implies this) then the SG with source 0.0.0.0/0 (default) seems to be correct. ref: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-groups.html#recommended-sg-rules Therefore I go for D.

Consider that the question is not say if the Instances are in a public o private subnet. A. No B. If you close 22 port, you lost access to ec2 instances and probably the problem persist (maybe attack 80 port) C. Correct. Because is a good practice, is more secure. Delete risk attack. D. Problem could be repeat.

Answe is C; SG allow port 80 with source security group ELB.

Since the question is giving remedy the situation and prevent future occurrences. D. Will give temporary solution by removing the instance but chances of problem again. A. Should be correct solution So answer A

C is Correct answer

Looks D . terminate server and let traffic is load balance across rest of servers.

When ELB is set to round robin and no sticky sessions how can all connections from incorrectly configured sites land on a single server? So it has to be an individual server issue.