A company has a web server on an Amazon EC2 instance in a public subnet with an Elastic IP address. The instance uses the default security group, and the default network ACL has been modified to block all traffic. A solutions architect must make the web server accessible from everywhere on port 443. Which combination of steps will accomplish this? (Choose two.)
Choose an answer
Tap an option to check your answer.
Correct answer: Create a security group with a rule that allows inbound TCP port 443 from source 0.0.0.0/0., Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0..
Why this is the answer
To make the web server accessible, both the security group and the network ACL must permit the traffic. The security group acts as a virtual firewall for the instance, while the network ACL acts as a stateless firewall for the subnet. 1. Create a security group with a rule that allows inbound TCP port 443 from source 0.0.0.0/0: This correctly configures the security group to allow HTTPS traffic from any IP address to the EC2 instance. 2. Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0: Since network ACLs are stateless, both inbound and outbound rules are needed. Inbound port 443 allows client requests. Outbound ephemeral ports (32768-65535) are required for the EC2 instance to send responses back to the client. The incorrect security group option specifies a destination, which is not how security group inbound rules are configured. The other incorrect network ACL options either don't account for the stateless nature by omitting outbound rules or specify an incorrect outbound port.
Pass your exam — without the endless answer hunt
Get every verified question and explanation for this exam in one place, and save hours of prep. 1,000+ certifications · 20+ languages · free to start.
Pass your exam faster → No card needed