Can you configure the security groups for these instances to only allow the ICMP ping to…

Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure
monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region,
and another application instance running in AZ B. The monitoring application needs to make use
of ICMP ping to confirm network reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass
from the monitoringinstance to the application instance and nothing else” If so how?

Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure
monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region,
and another application instance running in AZ B. The monitoring application needs to make use
of ICMP ping to confirm network reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass
from the monitoringinstance to the application instance and nothing else” If so how?

A.
No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that
protocol is not allowed across subnet (iebroadcast) boundaries

B.
Yes Both the monitoring instance and the application instance have to be a part of the same
security group, and that security group needs to allow inbound ICMP

C.
Yes, The security group for the monitoring instance needs to allow outbound ICMP and the
application instance’s security group needs to allow Inbound ICMP

D.
Yes, Both the monitoring instance’s security group and the application instance’s security group
need to allow both inbound and outbound ICMP ping packets since ICMP is not a connectionoriented protocol



Leave a Reply 11

Your email address will not be published. Required fields are marked *


Anuj

Anuj

only application instance need to allow Inbound ICMP and monitoring instance outbound(Default all traffic is allowed) icmp.

C is correct.

Will

Will

Technically BC and D are all correct. The reason why D is the most suitable, is because its explicitly explaining the reason why it must allow in and out from both sides. Although BC will implicitly do the trick too.

blahblah

blahblah

C still, just adding some info

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
By default, new security groups start with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

Even though all outbound is added by default, including ICMP, it still “needs” to be there, which makes C complete and accurate. D is incorrect b/c you don’t need to allow both inbound and outbound on both instances. If ICMP is allowed in on the destination then you don’t need an explicit exit thus making D wrong.

ARUN MANGLICK

ARUN MANGLICK

Ans: C

Sysops

Sysops

None of them is perfect answer. but C looks close among others

Viet Nguyen

Viet Nguyen

D. Beacause ICMP is connectionless because it does not require hosts to handshake before establishing a connection.