AWS Certified SysOps Administrator – Associate (SOA-C03) — Question 25

A CloudOps engineer is creating a simple, public-facing website running on Amazon EC2. The CloudOps engineer created the EC2 instance in an existing public subnet and assigned an Elastic IP address to the instance. Next, the CloudOps engineer created and applied a new security group to the instance to allow incoming HTTP traffic from 0.0.0.0/0. Finally, the CloudOps engineer created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet.
What is the cause of this issue?

Answer options

• A. The CloudOps engineer did not create an outbound rule that allows ephemeral port return traffic in the new network ACL
• B. The CloudOps engineer did not create an outbound rule in the security group that allows HTTP traffic from port 80.
• C. The Elastic IP address assigned to the EC2 instance has changed.
• D. There is an additional network ACL associated with the subnet that includes a rule that denies inbound HTTP traffic from port 80.

Correct answer: A

Explanation

The correct answer is A because for the return traffic of HTTP requests, ephemeral ports must be allowed in the outbound rules of the network ACL. The other options do not directly address the return traffic issue or are not relevant to the current configuration of the EC2 instance and its accessibility.