Can you configure the security groups for these instances to only allow the ICMP ping…

Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring
application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application
instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network
reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the
monitoring instance to the application instance and nothing else” If so how?

Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring
application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application
instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network
reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the
monitoring instance to the application instance and nothing else” If so how?

A.
No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not
allowed across subnet (iebroadcast) boundaries

B.
Yes Both the monitoring instance and the application instance have to be a part of the same security group,
and that security group needs to allow inbound ICMP

C.
Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application
instance’s security group needs to allow Inbound ICMP

D.
Yes, Both the monitoring instance’s security group and the application instance’s security group need to
allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol



Leave a Reply to Manan Kapadia Cancel reply0

Your email address will not be published. Required fields are marked *

17 + one =


Seth

Seth

I’m pretty sure D is not correct. I believe only inbound on the app server and outbound on the monitoring server is needed for ICMP. So answer (C)

Kelvin Wong

Kelvin Wong

I think I agree with you, its should be C. Also by default security groups already allow outbound traffic

JAck

JAck

D is correct because ICMP is not a connection-oriented protocol

Viet Nguyen

Viet Nguyen

I agree with D is correct

Gig

Gig

D is wrong. I have setup 2 Windows EC2 instances with to test out this scenarios. One have inbound ICMP enabled on the Security group and the other instance does not. Ping to the EC2 instance with inbound ICMP enabled works just fine.

C is correct answer based on actually test with real EC2 instances.

robi

robi

C dosn’t meet this requirement!

Can you configure the security groups for these instances to only allow the ICMP ping to pass from the
monitoring instance to the application instance and nothing else” If so how?

robi

robi

I think D works just fine. you maybe don’t need nessesery to open in & out bound, but the effect will be to allow only communication via ICMP.

Ankit Shah

Ankit Shah

Agree with JK, very tricky, usually you should allow inbound traffic (in practice) for ICMP for both security group, by allowing outbound for the security group, since security groups are stateless it would be the same effect.

Answer should be C.

Worm

Worm

I’m going out on a limb here and going with B. They don’t need to be part of the same security group but if they are an no other instances are using that SG then that segments the traffic to only those two instances which is part of the of the required solution “Nothing else” just creating a SG to allow inbound doesn’t mean another instance couldn’t communicate on that port too.

Inbound is required on both due to the connectionless ICMP protocol. Outbound is never required. SGs have all traffic outbound by default.

YUK

YUK

Answer – D

Defaultly in security group all outbound traffic is allowed unless we customize it.

>>The monitoring application needs to make use of ICMP ping to confirm network
reachability of the instance hosting the application.
= For above requirement we have to add ICMP port in Inbound rule in security group of Monitoring instance as well as Application instances.

so ping will work !

Yogi

Yogi

C is right !
Tested by launching 2 Instances in same VPC but different AZs.
SG-1 on Monitoring Instance-1 – Only Outbound ICMP Allow (Incoming ICMP is enabled automatically as Security Groups are Stateful)
SG-2 on Application Instance-2 – Only Inbound ICMP Allow (Outgoing ICMP is enabled automatically as Security Groups are Stateful)

Test Results – I can ping from Monitoring Instance to Application Instance.

JERRY

JERRY

I really think it should be B.

As ICMP needs ping and ping-returned traffic to work. For the monitor instance, the SG has to allow inbound ICMP as well. Otherwise, the ICMP returned traffic won’t reach the monitoring instance. So B is correct.

As to C, the outbound ICMP is automatically enabled. What you need to do is to enable inbound ICMP

Leonardo Gialluisi

Leonardo Gialluisi

Answer is C. Is not necessary to configure outbound in Security Groups.

Manan Kapadia

Manan Kapadia

C is the correct answer

No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not allowed across subnet (i.e. broadcast) boundaries (Can communicate)

Yes Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP (Need not have to be part of same security group)

Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application instance’s security group needs to allow Inbound ICMP (is stateful, so just allow outbound ICMP from monitoring and inbound ICMP on monitored instance)

Yes, Both the monitoring instance’s security group and the application instance’s security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol (Security groups are stateful)

VERGEBLAZE

VERGEBLAZE

I think it’s B. All outbound traffic is allowed by default in Security Groups. So you only have to explicitly configure inbound rules.

NikiHeat

NikiHeat

C:
Security groups are stateful so D is not the answer.

Viet Nguyen

Viet Nguyen

D, Beacause ICMP is connectionless

anup

anup

C is the answer.Tested and verified

Fifi

Fifi

C is the answer.

Jake

Jake

This question is not quite correct. ICMP is a stateless protocol indeed, but AWS SGs bind ICMP requests and reply together. I vote for C.

LV

LV

B

By default output is permitted in security groups. Plus although icmp is connectionless the stateful firewall would allow it to return.

Plus C allows icmp from any source and the requirement is “only allow the ICMP ping to pass from themonitoring instance to the application instance and nothing else” – they have to be in the same sec group.

Sam T

Sam T

Not correct at all

Sam T

Sam T

C is correct. Only need Outbound SG rule and Inbound SG. ICMP being connectionless is just to throw you off – SG is stateful – so return packet will come.
Only other point to be mentioned is the ‘route’- this somehow is being confused with rules. Default route always exist (but not SG rules) – so all subnets can talk to each other- but SG (and NACLs) must allow. By default NACLs allow All (unless you change them). However Route is not part of the Question here.