AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 343

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?

Answer options

• A. Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254
• B. Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
• C. Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
• D. Outbound; Protocol tcp; Destination 169 .254.169.254; Destination port 443

Correct answer: C

Explanation

The Amazon EC2 instance metadata service (IMDS) is accessed locally using HTTP (TCP port 80) at the link-local IP address 169.254.169.254. Because the host-based firewall blocks outgoing traffic, an outbound rule must be configured to allow TCP connections to this destination. Inbound rules are not required to initiate the request, and port 443 (HTTPS) is not used for standard IMDS access.