AWS Certified Solutions Architect – Professional — Question 795

A company has an Amazon VPC that is divided into a public subnet and a private subnet. A web application runs in Amazon VPC, and each subnet has its own
NACL. The public subnet has a CIDR of 10.0.0.0/24. An Application Load Balancer is deployed to the public subnet. The private subnet has a CIDR of 10.0.1.0/24.
Amazon EC2 instances that run a web server on port 80 are launched into the private subnet.
Only network traffic that is required for the Application Load Balancer to access the web application can be allowed to travel between the public and private subnets.
What collection of rules should be written to ensure that the private subnet's NACL meets the requirement? (Choose two.)

Answer options

• A. An inbound rule for port 80 from source 0.0.0.0/0.
• B. An inbound rule for port 80 from source 10.0.0.0/24.
• C. An outbound rule for port 80 to destination 0.0.0.0/0.
• D. An outbound rule for port 80 to destination 10.0.0.0/24.
• E. An outbound rule for ports 1024 through 65535 to destination 10.0.0.0/24.

Correct answer: B, E

Explanation

Because Network Access Control Lists (NACLs) are stateless, they require explicit rules for both inbound request traffic and outbound response traffic. To allow the Application Load Balancer (ALB) in the public subnet (10.0.0.0/24) to access the web servers on port 80, the private subnet's NACL needs an inbound rule for port 80 from the public subnet. Additionally, an outbound rule is required to send the response traffic back to the ALB's ephemeral ports (1024-65535) within the public subnet.