Exam AWS Certified Solutions Architect - Associate SAA-C03 topic 1 question 218 discussion

A, E is perfect the combination. To be more precise, We should add outbound with "outbound TCP port 32768-65535 to destination 0.0.0.0/0." as an ephemeral port due to the stateless of NACL.

For me it's grammatically unclear whether "port 443" and "port 32768-65535" in answers D and E are referring to the source or destination ports of the outbound traffic. If source ports then it would be D. If destination ports (which seems more likely) then it's E. "On Windows, the ephemeral port range is usually from 49152 to 65535. On Linux, it is often from 32768 to 61000." Thus 32768-65535 would cover both Windows and Linux.

Option A: Creating a security group that allows inbound traffic on TCP port 443 from all sources (0.0.0.0/0) ensures that the web server can accept incoming HTTPS requests. Option D: Updating the network ACL to allow inbound traffic on TCP port 443 from all sources (0.0.0.0/0) allows the requests to reach the EC2 instance. Additionally, it is necessary to allow outbound traffic on TCP port 443 to enable responses to clients, which is crucial for HTTPS communication.

Higher priority NACL to allow inbound and outbound traffic on 443 with take the precedence over default blocked NACL

AD How can E be the answer. How can we assure that the port range is definitely from the given port range in the option E?

Security group only needs inbound rules. ACL needs inbound and outbound.. Outbound traffic is going to be dynamic ports. Answer is A and E

AE Security group is a stateful resource and can understand to allow traffic from source 0.0.0.0/0 with port 443 but ACL is stateless so traffic that is allowed inside the network we must configure the same to go outside the network as well.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-basics "NACLs are stateless, which means that information about previously sent or received traffic is not saved. If, for example, you create a NACL rule to allow specific inbound traffic to a subnet, responses to that traffic are not automatically allowed. This is in contrast to how security groups work. Security groups are stateful, which means that information about previously sent or received traffic is saved. If, for example, a security group allows inbound traffic to an EC2 instance, responses are automatically allowed regardless of outbound security group rules." A fulfils the security group requirement E is the only option that explicitly covers outbound traffic and ports. D covers outbound destination but given that all traffic is blocked (as per the question) this won't work

For typical web server scenarios, such as serving content over HTTPS (port 443), you generally do not need to explicitly open outbound ports in the network ACL (NACL) for the return traffic.

ACL is stateless. you have to define both inbound and outbound rules.

i Think AD because acl is stateless we must open the port outbound and inbound , in option c we only open 443 on inbound

A, E is perfect the combination. To be more precise, We should add outbound with "outbound TCP port 32768-65535 to destination 0.0.0.0/0." as an ephemeral port due to the stateless of NACL.

AE is the best answer here, but in reality, E is not good enough. Here, it says that the client chooses the ephemeral port, and it can start from 1024. Only Linux clients have the range starting at 32768 https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports Unless the destination advertises the ephemeral ports, which I don't think is the case

AE is the best answer here, but in reality, E is not good enough. Here, it says that the client chooses the ephemeral port, and it can start from 1024. Only Linux clients have the range starting at 32768 https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports Unless the destination advertises the ephemeral ports, which I don't think is the case

32768-65535 ports Allows outbound IPv4 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet).

NACL blocks outgoing traffic since it is infact stateless..Option E allows outbound traffic from ephemeral ports going outside of the VPC back to the web.

It can't be C, since the current NACL blocks all traffic, including outbound. Need to allow outbound traffic through the NACL. But E is a bad answer, since ephemeral ports start at 1024, not 32768.