Question #1384
A company is configuring its VPC and needs to enforce stateless packet filtering rules for both inbound and outbound traffic. Which AWS service or feature should be used to meet this requirement?
AWS PrivateLink
Security group
Network access control list (ACL)
AWS WAF
Explanation
The correct answer is C (Network ACL) because:
- Network ACLs are stateless, meaning they evaluate traffic in both directions independently, requiring explicit inbound and outbound rules.
- Security Groups (B) are stateful; they automatically allow return traffic without needing explicit outbound rules, making them unsuitable for stateless filtering.
- AWS PrivateLink (A) provides private connectivity to services but does not handle packet filtering.
- AWS WAF (D) protects web applications from exploits but does not manage VPC traffic rules.
Key Points:
- Stateless = Track each request independently (Network ACL).
- Stateful = Automatically track connection states (Security Group).
- Network ACLs operate at the subnet level, while Security Groups operate at the instance level.
Answer
The correct answer is: C