AWS Certified Security – Specialty — Question 121

A Development team has built an experimental environment to test a simple static web application. It has built an isolated VPC with a private and a public subnet.
The public subnet holds only an Application Load Balancer, a NAT gateway, and an internet gateway. The private subnet holds all of the Amazon EC2 instances.
There are 3 different types of servers. Each server type has its own Security Group that limits access to only required connectivity. The Security Groups have both inbound and outbound rules applied. Each subnet has both inbound and outbound network ACLs applied to limit access to only required connectivity.
Which of the following should the team check if a server cannot establish an outbound connection to the internet? (Choose three.)

Answer options

• A. The route tables and the outbound rules on the appropriate private subnet security group.
• B. The outbound network ACL rules on the private subnet and the inbound network ACL rules on the public subnet.
• C. The outbound network ACL rules on the private subnet and both the inbound and outbound rules on the public subnet.
• D. The rules on any host-based firewall that may be applied on the Amazon EC2 instances.
• E. The Security Group applied to the Application Load Balancer and NAT gateway.
• F. That the 0.0.0.0/0 route in the private subnet route table points to the Internet gateway in the public subnet.

Correct answer: A, C, D

Explanation

The correct answer includes checking the route tables and outbound rules on the private subnet security group (A), the outbound network ACL rules on the private subnet along with both rules on the public subnet (C), and the host-based firewall settings on the EC2 instances (D). Options B and E are incorrect because they do not address the specific outbound connectivity issues related to the private subnet, while option F is incorrect since the private subnet should route through the NAT gateway, not directly to the Internet gateway.