AWS Certified Security – Specialty — Question 293

A Network Load Balancer (NLB) target instance is not entering the InService state. A security engineer determines that health checks are failing.

Which factors could cause the health check failures? (Choose three.)

Answer options

• A. The target instance’s security group does not allow traffic from the NLB.
• B. The target instance’s security group is not attached to the NLB.
• C. The NLB’s security group is not attached to the target instance.
• D. The target instance’s subnet network ACL does not allow traffic from the NLB.
• E. The target instance’s security group is not using IP addresses to allow traffic from the NLB.
• F. The target network ACL is not attached to the NLB.

Correct answer: A, D, E

Explanation

To allow health check traffic from a Network Load Balancer (NLB), the target instance's security group must explicitly permit traffic from the NLB's IP addresses (A and E), as NLBs do not support security group referencing. Additionally, the network ACLs (NACLs) for the target's subnet must allow traffic to and from the NLB (D). Other options are incorrect because security groups cannot be directly attached to an NLB in this manner, and NACLs are associated with subnets rather than load balancers.