You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet with a primary
private IP address assigned, an internet gateway is attached to the VPC, and the public route table is
configured to send all Internet-based traffic to the Internet gateway. The instance security group is set to allow
all outbound traffic but cannot access the internet. Why is the Internet unreachable from this instance?
A.
The instance does not have a public IP address.
B.
The internet gateway security group must allow all outbound traffic.
C.
The instance security group must allow all inbound traffic.
D.
The instance “Source/Destination check” property must be enabled.
A and C ?
Only A, C is already applied in the problem description.
C. inbound traffic needs to be allowed as well.
security groups are statefull.so need to apply inbound rule seperately
correction
“security groups are statefull.so no need to apply inbound rule seperately
A
Ensure that instances in your subnet have public IP addresses or Elastic IP addresses.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
It should be A.
Only A.
Security Groups are Stageful, so return traffic will be allowed back. No need to explicitly allow inbound traffic.
Distinguish between Security Groups and Network ACLs.
Network ACL are subnet based and are stateless. You need to explicitly permit traffic outbound and inbound for return traffic.
Security groups are Stageful, if you allow outbound traffic the return traffic will be allowed because of the state fulness and vice versa.
I choose A
A
A is more correct.
A
D is the ans
Disabling Source/Destination Checks
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance.
You can disable the SrcDestCheck attribute for a NAT instance that’s either running or stopped using the console or the command line.
@Chinmoy : There is no NAT in this setup!!
Answer is A.
I think D is the correct answer.
A is the correct answer
D is not the best answer as “Source/Destination” check is already enabled by default.
A
To enable access to or from the Internet for instances in a VPC subnet, you must do the following:
Attach an Internet gateway to your VPC.
Ensure that your subnet’s route table points to the Internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
If you believe that NAT is not in use then the answer is A
Based on the routing table I believe that to be the case. I would assume the traffic would have to be routed to the NAT instance explicitly. Therefore option D is impossible.
“The following figure illustrates the NAT instance basics. The main route table sends the traffic from the instances in the private subnet to the NAT instance in the public subnet. The NAT instance sends the traffic to the Internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT instance. The NAT instance specifies a high port number for the response; if a response comes back, the NAT instance sends it to an instance in the private subnet based on the port number for the response.”
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html
Definitely A.
Look at the following forum and answer from AWS support:
https://forums.aws.amazon.com/thread.jspa?threadID=96369
There are three ways to access the Internet. You can use an Internet Gateway along with an Elastic IP for each instance, set up a NAT instance, or route everything through a hardware VPN connection back to your premises. If the instance is running in a subnet with a default route to the Internet Gateway, you need an Elastic IP address
In this question they specified that they are using an internet gateway….
I believe the answer is A.
Here’s why, the question is “Why is the Internet unreachable from this instance?”
Note: “from” this instance.
We all know, SGs are stateful. This means if the traffic is initiated from the instance, and as we know from the question, the outbound traffic is allowed, the inbound traffic shall be allowed as well.
Had the question been phrased differently i.e “to” this instance. Then the correct answer would have to be A and C, as you would need inbound traffic to be allowed, as well as the public or elastic IP.