A company is creating a centralized logging service running on Amazon EC2 that will recei…

Question

A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from hundreds of AWS accounts. AWS PrivateLink is being used to provide connectivity between the client services and the logging service. In each AWS account with a client, an interface endpoint has been created for the logging service and is available. The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The clients are unable to submit logs using the VPC endpoint. Which combination of steps should a solutions architect take to resolve this issue? (Choose two.)

Accepted Answer

Correct answer: A, C. A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets. Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service subnets running on EC2 instances. — C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets. — Because the NLB and the EC2 instances hosting the logging service are deployed in different subnets, the Network Access Control Lists (NACLs) for both subnets must be configured to allow bidirectional traffic between them. Additionally, when traffic passes through a Network Load Balancer, the source IP addresses received by the target EC2 instances are the private IP addresses of the NLB nodes (unless client IP preservation is active), meaning the EC2 security group must allow inbound traffic from the NLB's subnets rather than the client source IPs.

AWS Certified Solutions Architect – Professional (SAP-C02) — Question 291

Answer options

Correct answer: A, C

Explanation