Table of Contents
Question
A SysOps administrator launches an Amazon EC2 Linux instance in a public subnet. When the instance is running, the SysOps administrator obtains the public IP address and attempts to remotely connect to the Instance multiple times. However, the SysOps administrator always receives a timeout error. Which action will allow the SysOps administrator to remotely connect to the instance?
A. Add a route table entry in the public subnet for the SysOps administrator’s IP address.
B. Add an outbound network ACL rule to allow TCP port 22 for the SysOps administrator’s IP address.
C. Modify the instance security group to allow inbound SSH traffic from the SysOps administrator’s IP address.
D. Modify the instance security group to allow outbound SSH traffic to the SysOps administrator’s IP address.
Answer
C. Modify the instance security group to allow inbound SSH traffic from the SysOps administrator’s IP address.
Explanation
The correct answer to the question is C. Modify the instance security group to allow inbound SSH traffic from the SysOps administrator’s IP address.
Explanation:
To remotely connect to an Amazon EC2 Linux instance, the SysOps administrator needs to use the Secure Shell (SSH) protocol, which allows secure and encrypted communication between two hosts over a network. SSH uses TCP port 22 by default, and requires a valid user name and a private key that matches the public key that was specified when launching the instance.
To use SSH to connect to an EC2 instance, the SysOps administrator also needs to ensure that the following network and security requirements are met:
- The EC2 instance must have a public IP address or a public DNS name that can be resolved and reached over the internet. The SysOps administrator can obtain the public IP address or DNS name of the instance from the AWS Management Console, the AWS CLI, or the AWS SDK.
- The EC2 instance must be in a public subnet that has a route table entry that points to an internet gateway. This allows the instance to send and receive traffic from the internet.
- The EC2 instance must have a security group that allows inbound traffic on port 22 from the SysOps administrator’s IP address. A security group is a virtual firewall that controls the inbound and outbound traffic for one or more instances. The SysOps administrator can create or modify a security group rule that allows SSH access from a specific IP address or a range of IP addresses using the CIDR notation.
- The EC2 instance must not have a network ACL that blocks inbound or outbound traffic on port 22 from the SysOps administrator’s IP address. A network ACL is an optional layer of security that acts as a stateless firewall for a subnet. The SysOps administrator can create or modify a network ACL rule that allows SSH access from a specific IP address or a range of IP addresses using the CIDR notation.
In this scenario, the SysOps administrator launches an EC2 Linux instance in a public subnet and obtains the public IP address of the instance. However, the SysOps administrator always receives a timeout error when trying to connect to the instance using SSH. This implies that the issue is not related to the public IP address, the public subnet, or the network ACL of the instance. Therefore, options A and B are incorrect.
The most likely cause of the issue is that the security group of the instance does not allow inbound SSH traffic from the SysOps administrator’s IP address. Without this permission, the security group will block any SSH connection attempts to the instance and cause a timeout error.
To fix this issue, the SysOps administrator needs to modify the security group of the instance to allow inbound SSH traffic from the SysOps administrator’s IP address. This can be done by using the AWS Management Console, the AWS CLI, or the AWS SDK. For example, using the AWS CLI, the SysOps administrator can run the following command:
aws ec2 authorize-security-group-ingress –group-id sg-1234567890abcdef –protocol tcp –port 22 –cidr 203.0.113.0/24
This command will add an inbound rule to the security group with ID sg-1234567890abcdef that allows TCP traffic on port 22 from any IP address in the range 203.0.113.0/24. The SysOps administrator can replace these values with their own security group ID and IP address range.
After modifying the security group of the instance, the SysOps administrator can try to connect to the instance again using SSH. The SysOps administrator should be able to establish a successful connection and access the instance remotely. Therefore, option C is correct.
Option D is incorrect because it is not necessary or relevant for connecting to an EC2 instance using SSH. Modifying the security group of the instance to allow outbound SSH traffic to the SysOps administrator’s IP address will not affect the inbound SSH connection from the SysOps administrator’s IP address. Moreover, outbound SSH traffic is usually initiated by an EC2 instance, not by an external host. For more details, you can refer to this article.
Reference
- amazon ec2 – EC2 Network Error : Connection timeout – Stack Overflow
- ssh – Possible reasons for timeout when trying to access EC2 instance – Stack Overflow
- amazon ec2 – Connection time out while connecting to EC2 – Stack Overflow
- amazon web services – AWS Connection timeout + EC2 Instance Connect not working – Stack Overflow
Amazon AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Amazon AWS Certified SysOps Administrator – Associate exam and earn Amazon AWS Certified SysOps Administrator – Associate certification.