Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 73 discussion

C because from on-prem network to bastion through internet (using on-prem resource's public IP), D because bastion and ec2 is in same VPC, meaning bastion can communicate to EC2 via it's private IP address

on-prem -----> bastion host (we use internet, means that we need external IPs of the company) bastion host -----> private subnet (we use private IP since we are in the same AWS network)

Ans C,D - as per Six_Fingered_Jose (1 year, 10 mth ago)

CD - easy

I've noticed that it is very important to focus on the logic for the solution, not just services. For example, in this question, the goal is to access the application instances only from the bastion while keeping them in the private subnet, which already suggests that the SSH connection must be allowed for the bastion private IP. This is answer D. On the other hand, the bastion must accept connections only from the company's premises, which already eliminates option A. Option B is wrong because internal IP is used only internally; in this case, the connection will be through the internet, which means that it must be the external IP; therefore, answer C.

C: Bastion in public subnet should only allow access from public IP of the company D: app instance in private subnet should only allow access from bastion ABD are wrong choices Here is a working example on AWS docs if you want to learn about Bastion setup https://aws.amazon.com/solutions/implementations/linux-bastion/

the question mentioned from on-prem network to bastion through the company's internet then it should use the internal IP range not external ip ranges. so BD

Why are there always such unclear questions?

Key: through the company's internet connection

Option B - inbound access from the internal IP range for the company. This step ensures that only internal IP addresses from your company's network can access the bastion host, enhancing securit and then Option D

Please check first comments from top of them: Help2023 WherecanIstart Buruguduystunstugudunstuy

Allows inbound access from the external IP range for the company. Then allow inbound SSH access from only the private IP address of the bastion host.

C. This will restrict access to the bastion host from the specific IP range of the on-premises network, ensuring secure connectivity. This step ensures that only authorized users from the on-premises network can access the bastion host. D. This step enables SSH connectivity from the bastion host to the application instances in the private subnet. By allowing inbound SSH access only from the private IP address of the bastion host, you ensure that SSH access is restricted to the bastion host only.

the internal and external IP range is not clear

The private/public IP address thing is confusing. Ideally, the private instances inbound rule would just allow traffic from the security group of the bastion host.

Why external and not internal?

Application is in private subnet Bastion Host is in public subnet D does not make sense because the bastion host is in public subnet and they don't have a private IP but only a public IP address attached to them. The IP wanting to connect is Public as well. Bastion host in public subnet allows external IP (via internet) of the company to access it. Which than leaves us to give permission to the application private subnet and for that the private subnet with the application accepts the IP coming from Bastion Host by changing its SG. C&E