Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring
application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application
instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network
reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the
monitoring instance to the application instance and nothing else” If so how?
A.
No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not
allowed across subnet (iebroadcast) boundaries
B.
Yes Both the monitoring instance and the application instance have to be a part of the same security group,
and that security group needs to allow inbound ICMP
C.
Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application
instance’s security group needs to allow Inbound ICMP
D.
Yes, Both the monitoring instance’s security group and the application instance’s security group need to
allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol
I’m pretty sure D is not correct. I believe only inbound on the app server and outbound on the monitoring server is needed for ICMP. So answer (C)
I think I agree with you, its should be C. Also by default security groups already allow outbound traffic
Agree with Seth and Kelvin, C is correct.
Read the section on Connection Tracking in the link – http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
D is correct because ICMP is not a connection-oriented protocol
I agree with D is correct
D is wrong. I have setup 2 Windows EC2 instances with to test out this scenarios. One have inbound ICMP enabled on the Security group and the other instance does not. Ping to the EC2 instance with inbound ICMP enabled works just fine.
C is correct answer based on actually test with real EC2 instances.
C dosn’t meet this requirement!
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the
monitoring instance to the application instance and nothing else” If so how?
I think D works just fine. you maybe don’t need nessesery to open in & out bound, but the effect will be to allow only communication via ICMP.
I believe C to be correct.
Even though ICMP is not a connection-oriented protocol, Security Groups are stateful.
“Security groups are stateful — responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa.”
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
Agree with JK, very tricky, usually you should allow inbound traffic (in practice) for ICMP for both security group, by allowing outbound for the security group, since security groups are stateless it would be the same effect.
Answer should be C.
I’m going out on a limb here and going with B. They don’t need to be part of the same security group but if they are an no other instances are using that SG then that segments the traffic to only those two instances which is part of the of the required solution “Nothing else” just creating a SG to allow inbound doesn’t mean another instance couldn’t communicate on that port too.
Inbound is required on both due to the connectionless ICMP protocol. Outbound is never required. SGs have all traffic outbound by default.
Answer – D
Defaultly in security group all outbound traffic is allowed unless we customize it.
>>The monitoring application needs to make use of ICMP ping to confirm network
reachability of the instance hosting the application.
= For above requirement we have to add ICMP port in Inbound rule in security group of Monitoring instance as well as Application instances.
so ping will work !
C is right
C is right !
Tested by launching 2 Instances in same VPC but different AZs.
SG-1 on Monitoring Instance-1 – Only Outbound ICMP Allow (Incoming ICMP is enabled automatically as Security Groups are Stateful)
SG-2 on Application Instance-2 – Only Inbound ICMP Allow (Outgoing ICMP is enabled automatically as Security Groups are Stateful)
Test Results – I can ping from Monitoring Instance to Application Instance.
I really think it should be B.
As ICMP needs ping and ping-returned traffic to work. For the monitor instance, the SG has to allow inbound ICMP as well. Otherwise, the ICMP returned traffic won’t reach the monitoring instance. So B is correct.
As to C, the outbound ICMP is automatically enabled. What you need to do is to enable inbound ICMP
Answer is C. Is not necessary to configure outbound in Security Groups.
D
C is the correct answer
No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not allowed across subnet (i.e. broadcast) boundaries (Can communicate)
Yes Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP (Need not have to be part of same security group)
Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application instance’s security group needs to allow Inbound ICMP (is stateful, so just allow outbound ICMP from monitoring and inbound ICMP on monitored instance)
Yes, Both the monitoring instance’s security group and the application instance’s security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol (Security groups are stateful)
I think it’s B. All outbound traffic is allowed by default in Security Groups. So you only have to explicitly configure inbound rules.
C:
Security groups are stateful so D is not the answer.
C
D, Beacause ICMP is connectionless
C is the answer.Tested and verified
C is the answer.
This question is not quite correct. ICMP is a stateless protocol indeed, but AWS SGs bind ICMP requests and reply together. I vote for C.
B
By default output is permitted in security groups. Plus although icmp is connectionless the stateful firewall would allow it to return.
Plus C allows icmp from any source and the requirement is “only allow the ICMP ping to pass from themonitoring instance to the application instance and nothing else” – they have to be in the same sec group.
Not correct at all
C is correct. Only need Outbound SG rule and Inbound SG. ICMP being connectionless is just to throw you off – SG is stateful – so return packet will come.
Only other point to be mentioned is the ‘route’- this somehow is being confused with rules. Default route always exist (but not SG rules) – so all subnets can talk to each other- but SG (and NACLs) must allow. By default NACLs allow All (unless you change them). However Route is not part of the Question here.