ExamTopics Logo
Mail Us[email protected]
Menu
Amazon Discussions
exam questions

Exam AWS-SysOps All Questions

View all questions & answers for the AWS-SysOps exam
Go to Exam

Exam AWS-SysOps topic 1 question 21 discussion

Exam question from Amazon's AWS-SysOps
Question #: 21
Topic #: 1
[All AWS-SysOps Questions]

Your entire AWS infrastructure lives inside of one Amazon VPC. You have an Infrastructure monitoring application running on an Amazon instance in Availability
Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else? If so how?

  • A. No, two instances in two different AZ's can't talk directly to each other via ICMP ping as that protocol is not allowed across subnet (iebroadcast) boundaries
  • B. Yes, both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP
  • C. Yes, the security group for the monitoring instance needs to allow outbound ICMP and the application instance's security group needs to allow Inbound ICMP
  • D. Yes, both the monitoring instance's security group and the application instance's security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
Even though ICMP is not a connection-oriented protocol, Security Groups are stateful. ג€Security groups are stateful ג€" responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versaג€.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
by FHU at May 17, 2021, 10:15 a.m.
Disclaimers:
  • - ExamTopics website is not related to, affiliated with, endorsed or authorized by Amazon.
  • - Trademarks, certification & product names are used for reference only and belong to Amazon.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
AMohanty
6 months, 2 weeks ago
B and C are both possible options. As per B not necessarily both needs to be a part of same SG. So would go with C.
upvoted 1 times
Diegoflop
6 months, 2 weeks ago
B is a wrong answer. Because a subnet can only be in one AZ and the SG are associated with the subnet, so you need 2 SG. The correct answer is C.
upvoted 3 times
...
...
FHU
7 months, 1 week ago
Letter C
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago