A, E is perfect the combination. To be more precise, We should add outbound with "outbound TCP port 32768-65535 to destination 0.0.0.0/0." as an ephemeral port due to the stateless of NACL.

For me it's grammatically unclear whether "port 443" and "port 32768-65535" in answers D and E are referring to the source or destination ports of the outbound traffic. If source ports then it would be D. If destination ports (which seems more likely) then it's E. "On Windows, the ephemeral port range is usually from 49152 to 65535. On Linux, it is often from 32768 to 61000." Thus 32768-65535 would cover both Windows and Linux.

Security group only needs inbound rules. ACL needs inbound and outbound.. Outbound traffic is going to be dynamic ports. Answer is A and E

AE Security group is a stateful resource and can understand to allow traffic from source 0.0.0.0/0 with port 443 but ACL is stateless so traffic that is allowed inside the network we must configure the same to go outside the network as well.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-basics "NACLs are stateless, which means that information about previously sent or received traffic is not saved. If, for example, you create a NACL rule to allow specific inbound traffic to a subnet, responses to that traffic are not automatically allowed. This is in contrast to how security groups work. Security groups are stateful, which means that information about previously sent or received traffic is saved. If, for example, a security group allows inbound traffic to an EC2 instance, responses are automatically allowed regardless of outbound security group rules." A fulfils the security group requirement E is the only option that explicitly covers outbound traffic and ports. D covers outbound destination but given that all traffic is blocked (as per the question) this won't work

For typical web server scenarios, such as serving content over HTTPS (port 443), you generally do not need to explicitly open outbound ports in the network ACL (NACL) for the return traffic.

ACL is stateless. you have to define both inbound and outbound rules.

i Think AD because acl is stateless we must open the port outbound and inbound , in option c we only open 443 on inbound

A, E is perfect the combination. To be more precise, We should add outbound with "outbound TCP port 32768-65535 to destination 0.0.0.0/0." as an ephemeral port due to the stateless of NACL.

AE is the best answer here, but in reality, E is not good enough. Here, it says that the client chooses the ephemeral port, and it can start from 1024. Only Linux clients have the range starting at 32768 https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports Unless the destination advertises the ephemeral ports, which I don't think is the case

AE is the best answer here, but in reality, E is not good enough. Here, it says that the client chooses the ephemeral port, and it can start from 1024. Only Linux clients have the range starting at 32768 https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports Unless the destination advertises the ephemeral ports, which I don't think is the case

32768-65535 ports Allows outbound IPv4 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet).

NACL blocks outgoing traffic since it is infact stateless..Option E allows outbound traffic from ephemeral ports going outside of the VPC back to the web.

It can't be C, since the current NACL blocks all traffic, including outbound. Need to allow outbound traffic through the NACL. But E is a bad answer, since ephemeral ports start at 1024, not 32768.

A and C not E Option E states to allow incoming TCP ports on 443 and outgoing on 32768-65535 to all IP addresses (0.0.0.0/0). This option only allows outgoing ports and does not guarantee that incoming connections on 443 will be allowed. It does not meet the requirement of making the web server accessible on port 443 from anywhere. Therefore, option C which states to allow incoming TCP ports on 443 from all IP addresses is the best answer to meet the requirements.

AE correct

A & E , E as NACL is stateless.