Learn how to troubleshoot connectivity issues with Amazon EC2 instances in a public subnet. Understand the importance of security group rules, network ACLs, and firewall rules in maintaining instance accessibility.
Table of Contents
Question
A SysOps administrator has set up a new Amazon EC2 instance as a web server in a public subnet. The instance uses HTTP port 80 and HTTPS port 443.
The SysOps administrator has confirmed internet connectivity by downloading operating system updates and software from public repositories. However, the SysOps administrator cannot access the instance from a web browser on the internet.
Which combination of steps should the SysOps administrator take to troubleshoot this issue? (Choose three.)
A. Ensure that the inbound rules of the instance’s security group allow traffic on ports 80 and 443.
B. Ensure that the outbound rules of the instance’s security group allow traffic on ports 80 and 443.
C. Ensure that ephemeral ports 1024-65535 are allowed in the inbound rules of the network ACL that is associated with the instance’s subnet.
D. Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance’s subnet.
E. Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.
F. Ensure that AWS WAF is turned on for the instance and is blocking web traffic.
Answer
A. Ensure that the inbound rules of the instance’s security group allow traffic on ports 80 and 443.
D. Ensure that ephemeral ports 1024-65535 are allowed in the outbound rules of the network ACL that is associated with the instance’s subnet.
E. Ensure that the filtering rules for any firewalls that are running on the instance allow inbound traffic on ports 80 and 443.
Explanation
Step A is crucial because security groups act as virtual firewalls for EC2 instances. If the inbound rules of the security group do not allow traffic on ports 80 and 443, the web server will not be accessible from the internet.
Step D is necessary because ephemeral ports are used for outbound connections initiated by the EC2 instance. If the network ACL associated with the subnet does not allow outbound traffic on these ports, the instance may not be able to establish outbound connections, which could prevent it from responding to incoming web requests.
Step E is important because even if the security group and network ACL rules are configured correctly, any firewall software running on the instance itself could be blocking inbound traffic on ports 80 and 443. This step ensures that any local firewall rules are checked and configured properly.
Steps B (outbound rules of the security group) and C (inbound rules of the network ACL) are not relevant in this scenario, as the issue is related to the web server not being accessible from the internet, which is an inbound traffic problem.
Step F is also not relevant, as AWS WAF (Web Application Firewall) is a separate service used to protect web applications from common web exploits, and it does not directly affect the accessibility of the web server from the internet.
AWS Certified SysOps Administrator – Associate certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the AWS Certified SysOps Administrator – Associate exam and earn AWS Certified SysOps Administrator – Associate certification.