Question #1237
A company has a web server running on an Amazon EC2 instance in a public subnet with an Elastic IP address. The default security group is assigned to the EC2 instance. The default network ACL has been modified to block all traffic. A solutions architect needs to make the web server accessible from everywhere on port 80.
Which combination of steps will accomplish this task? (Choose two.)
Create a security group with a rule to allow TCP port 80 from source 0.0.0.0/0.
Create a security group with a rule to allow TCP port 80 to destination 0.0.0.0/0.
Update the network ACL to allow TCP port 80 from source 0.0.0.0/0.
Update the network ACL to allow inbound/outbound TCP port 80 from source 0.0.0.0/0 and to destination 0.0.0.0/0.
Update the network ACL to allow inbound TCP port 80 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0.
Explanation
The correct answers are A and E.
- A: Security groups are stateful. Creating a rule allowing inbound TCP port 80 (HTTP) from 0.0.0.0/0 ensures the EC2 instance accepts HTTP requests. The default security group blocks all inbound traffic, so this rule is necessary.
- E: Network ACLs are stateless. Allowing inbound port 80 (HTTP) enables incoming requests, while allowing outbound ephemeral ports (32768-65535) ensures responses from the server reach clients. Without this, return traffic would be blocked.
Other options are incorrect:
- B: Security group rules specify source, not destination, for inbound traffic.
- C: Only allows inbound port 80 but blocks outbound responses.
- D: Allows port 80 both ways, but responses use ephemeral ports, not port 80.
Key Points: Security groups handle stateful traffic (automatic return paths), while NACLs require explicit inbound/outbound rules for stateless traffic. Ephemeral ports (32768-65535) must be allowed in NACLs for TCP responses.
Answer
The correct answer is: AE