Exam AWS-SysOps topic 1 question 783 discussion

ok i get it its D

D is the answer

D is Correct. Th ping is from 203.0.113.12 to 172.31.16.13 9: The security group's inbound rules allow ICMP traffic, but the outbound rules do not allow ICMP traffic. Because security groups are stateful, the response ping from your instance is allowed. The network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic. Network ACLs are stateless, then the response ping is dropped.

[sampleXML/xmlfile-413 1.png] contains - 2 123456789010 eni-1234abcd 3.104.75.244 172.31.10.10 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1234abcd 172.31.10.10 3.104.75.244 0 0 1 4 336 1432917094 1432917142 REJECT OK

All the ansears are incorrect If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance. https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups this is a repeated Q and ICMP is blocked by default https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html#flow-log-example-security-groups

Correct Answer: D

D. Modify the VPC network ACL rules to allow outbound traffic to the on-premises computer

D is the answer SG is stateful, so no need to set outbound NACL is stateless, so what comes in, will not be allowed to come out automatically, hence you need to declare it

D - Allow outbound using NACL

D- this a NACL problem because they are stateless. SGs are stateful so any allowed in traffic is allowed response out and visa versa.