Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. You have configured a network access control list to permit inbound traffic to an EC2 web server from a set of customer IP addresses. The NACL is configured to block all outbound traffic. What is the result of this configuration?
A. Users from the permitted IP addresses can access the web server. The web server can also initiate a connection to the customer IP addresses.
B. Users from the permitted IP addresses can access the web server without issues, but the web server cannot initiate a connection to the customer IP addresses.
C. Users from the permitted IP addresses cannot access the web server.
D. Users from the permitted IP address range can access the web server only if a security group rule is created to allow it.
2. You are creating a security group that allows monitoring software to communicate with EC2 instances using ICMP. The monitoring software will initiate communication to the EC2 instances. Which statements regarding this configuration are correct? (Choose two.)
A. You need to configure the security group to allow the necessary incoming traffic.
B. ICMP cannot be tracked by a security group because it is a connectionless protocol.
C. You need to allow outbound ICMP on the security group.
D. You do not need to allow outbound ICMP on the security group.
1. Answer: C is correct. Users from the permitted IP addresses cannot establish connectivity with the web server. The NACL is not stateful, and therefore, return traffic from the web server instance can never reach the customer IP addresses because all outbound (return) traffic is blocked.
2. Answer: A and D are correct. ICMP traffic can be tracked by a security group. A security group is stateful and dynamically allows return traffic. Therefore, you do not need to allow outbound ICMP on the security group.
This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.1 Implement networking features and connectivity
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. You are using the AWS Network Firewall with the AWS Firewall Manager. What is the scope of the policies that you create?
2. Does the AWS Network Firewall protect from DDoS attacks?
1. Answer: Policies can be applied across multiple VPCs and AWS accounts.
2. Answer: No, the AWS Network Firewall does not mitigate volumetric attacks that generate massive amounts of traffic or requests. The AWS WAF and AWS Shield can be used to mitigate those types of attacks.
The biggest benefit of the AWS Network Firewall is that it can be enabled across an entire AWS environment, with multiple VPCs and accounts, with just a few clicks in the console. Rules can be defined that provide fine-grained control over network traffic. You can also import open-source or partner-created rules. It has a built-in intrusion prevention system (IPS) and can also perform URL filtering. Because it is a managed service, you do not need to manage or deploy EC2 instances or any other AWS resources to enable it.
The AWS Network Firewall can be deployed as in a centralized or distributed configuration. In a centralized deployment, the AWS Network Firewall is attached to a transit gateway. This allows you to filter inbound and outbound traffic to or from Internet gateways, Direct Connect gateways, VPN site-to-site and client gateways, NAT gateways, and even between other attached VPCs. In a distributed deployment, the AWS Network Firewall is deployed within VPCs for enforcement closer to the applications.
AWS Network Firewall activity can be logged to an Amazon S3 bucket or to Amazon Kinesis Firehose. The AWS Network Firewall does not support deep packet inspection for encrypted traffic. Traffic can be decrypted by a Network Load Balancer (NLB) before it is sent to the AWS Network Firewall.