AWS Certified Advanced Networking – Specialty (ANS-C00) — Question 59

A Network Engineer has enabled VPC Flow Logs to troubleshoot an ICMP reachability issue for an echo reply from an Amazon EC2 instance. The flow logs reveal an ACCEPT record for the request from the client to the EC2 instance, and a REJECT record for the response from the EC2 instance to the client.
What is the MOST likely reason for there to be a REJECT record?

Answer options

• A. The security group is denying inbound ICMP.
• B. The network ACL is denying inbound ICMP.
• C. The security group is denying outbound ICMP.
• D. The network ACL is denying outbound ICMP.

Correct answer: D

Explanation

The REJECT record indicates that the response from the EC2 instance is being blocked. The most likely cause is that the network ACL is denying outbound ICMP traffic, which is necessary for the echo reply to reach the client. The other options would affect incoming traffic but do not explain the outbound block observed in the flow logs.