AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 349

A company's website is hosted on an Amazon EC2 instance. The website delivers dynamic content through Amazon CloudFront to users. After instance maintenance, users receive HTTP 502 (Bad Gateway) errors while attempting to access the website.
What is the MOST likely cause of this issue?

Answer options

• A. The security group configuration on the origin is blocking traffic from CloudFront.
• B. The origin does not support the ciphers or protocols in the SSL/TLS exchange with CloudFront.
• C. There are resource constraints, and CloudFront cannot route requests to an available edge location.
• D. The origin does not have enough capacity to support the request rate.

Correct answer: B

Explanation

An HTTP 502 (Bad Gateway) error from CloudFront typically points to an SSL/TLS negotiation failure between CloudFront and the origin server, which often happens if the origin's supported ciphers or protocols changed during maintenance. If security groups were blocking traffic, CloudFront would instead return a 504 Gateway Timeout error because it cannot establish a TCP connection. Capacity constraints or edge location routing issues would not manifest as a 502 Bad Gateway caused by origin handshake failures.