AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 350

A company is delivering web content from an Amazon EC2 instance in a public subnet with address 2001:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries:
2 012345678912 eni-0596e500123456789 2001:db8:2:200::2 2001:db8:1:100::1 0 0 58 234 24336 1551299195 1551299434 ACCEPT

OK -
2 012345678912 eni-0596e500123456789 2001:db8:1:100::1 2001:db8:2:200::2 0 0 58 234 24336 1551299195 1551299434 REJECT

OK -
Which action will restore network reachability to the EC2 instance?

Answer options

• A. Update the security group associated with eni-0596e500123456789 to permit inbound traffic.
• B. Update the security group associated with eni-0596e500123456789 to permit outbound traffic.
• C. Update the network ACL associated with the subnet to permit inbound traffic.
• D. Update the network ACL associated with the subnet to permit outbound traffic.

Correct answer: D

Explanation

The VPC Flow Logs demonstrate that inbound traffic to the EC2 instance is accepted, but the corresponding outbound response is rejected. Because security groups are stateful, they automatically allow return traffic for any accepted connection. Since the outbound response is blocked, the issue lies with the network ACL, which is stateless and requires explicit rules for both inbound and outbound directions.