Exam AWS Certified Solutions Architect - Associate SAA-C02 topic 1 question 198 discussion

A & E are correct.

A = Security Group = Stateful E = NACL = Stateless = Bi-directional, Inbound - Any Source to Destination port-TCP & Outbound Any Destination to TCP Port-range. Not for all ports.

While you do need to allow inbound port 443, outbound traffic on ephemeral ports (32768-65535) is not necessary for this use case, and it's not required to explicitly allow these ports for HTTPS communication.

To make the web server accessible from everywhere on port 443, you would need to perform the following steps: Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0: This allows inbound traffic on port 443 from any source IP address. Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0: This allows inbound traffic on port 443 from any source IP address. So, the correct combination of steps would be: A. Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0. C. Update the network ACL to allow TCP port 443 from source 0.0.0.0/0.

E - is not correct ! ! ! Option E suggests updating the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0. However, this is not necessary for allowing inbound traffic on port 443. Network ACLs control traffic at the subnet level, and for inbound traffic to reach the EC2 instance, you only need to allow inbound traffic on port 443 from the source IP addresses specified in the ACL's rules. Allowing outbound traffic on ports 32768-65535 to destination 0.0.0.0/0 is also unnecessary for this scenario and could potentially introduce security risks by allowing unrestricted outbound traffic. Therefore, option E is not required to accomplish the task of making the web server accessible from everywhere on port 443.

To make the web server accessible from everywhere on port 443, you would need to perform the following steps: Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0: This allows inbound traffic on port 443 from any source IP address. Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0: This allows inbound traffic on port 443 from any source IP address. So, the correct combination of steps would be: A. Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0. C. Update the network ACL to allow TCP port 443 from source 0.0.0.0/0.

Definitely A & E

AE ..... There's a corresponding outbound rule that enables responses to that inbound traffic (outbound rule 140, which covers ephemeral ports 32768-65535) https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

A + E is correct

AE 100% - If you have doubts, read again option D. Communication between hosts with src and dst port 443 will be impossoble unless specified in configuration. For typical uses it will never appear. Between D&E example: D) SRC: 10.0.0.10/24:443 & DST 128.0.0.128/24:443 = NOT GOOD ;) E) SRC: 10.0.0.10/24:[random high port] & DST 128.0.0.128/24:443 = It is how TCP works I hope it helped

Case 1: if a request comes into a web server in your VPC from a Windows 10 client on the internet, your network ACL must have an outbound rule to enable traffic destined for ports 49152-65535 (ephemeral ports, range varies). Case 2: If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on) https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html I think q it's case 1 so you need outbound rule for ephemeral ports.

A & E : "To enable the connection to a service running on an instance, the associated network ACL must allow both: Inbound traffic on the port that the service is listening on Outbound traffic to ephemeral ports" https://aws.amazon.com/premiumsupport/knowledge-center/resolve-connection-sg-acl-inbound/

https://aws.amazon.com/premiumsupport/knowledge-center/connect-http-https-ec2/

A & E absolutely.

This question came to my exam.

A&E The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000. Requests originating from Elastic Load Balancing use ports 1024-65535. Windows operating systems through Windows Server 2003 use ports 1025-5000. Windows Server 2008 and later versions use ports 49152-65535. A NAT gateway uses ports 1024-65535. AWS Lambda functions use ports 1024-65535. Therefore range for Windows 2008 or Linux is 32768-65535.

A and D I think. A is obvious because a security group is stateful. ACL is however stateless and needs to be opened in both directions. Opening from ephemeral ports is irrelevant because the webserver will not initiate traffic, but only respond to traffic directed to port 443. Ephemeral ports are used to initiate traffic from a host.