AWS Certified SysOps Administrator – Associate (legacy) — Question 165

A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses
CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?

Answer options

• A. For Inbound allow Source: 20.0.1.0/24 on port 80
• B. For Outbound allow Destination: 0.0.0.0/0 on port 80
• C. For Inbound allow Source: 20.0.0.0/24 on port 80
• D. For Outbound allow Destination: 0.0.0.0/0 on port 443

Correct answer: C

Explanation

The correct answer is C, as the NAT instance does not need to accept inbound traffic from the public subnet (20.0.0.0/24) on port 80. The NAT is primarily used for allowing instances in the private subnet to access the internet, so inbound rules from the public subnet are not required. Options A, B, and D are needed to allow outbound internet access for the private subnet and handle web traffic correctly.