Your VPC consists of public and private subnets.
The private subnets make use of a NAT instance to download updates from the internet.
The Instances are trying to download updates from a server that listens on port 8090
But the instances are not able to reach the external server for updates.
Which of the following could be relevant issues with this? Choose 3 answers from the options given below.
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A, B and D.
The NAT instance could be blocking Outbound Traffic on port 8090 which is not allowing traffic to flow outwards.
The server will answer the request from its port 8090 ( source )
Therefore, the Inbound NACL needs to authorize this incoming traffic from an ephemeral port.
The remote server could also be blocking traffic from the instances.
Option C is invalid because the traffic needs to be authorized by the NACL.
For more information on NAT Instances, please visit the below URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.htmlThe issue here is that the instances in the private subnet are not able to reach an external server on port 8090. Let's examine each answer choice to determine which could be relevant issues.
A. The NAT instance is blocking outbound traffic on port 8090: This could be a potential issue. If the NAT instance is blocking outbound traffic on port 8090, then instances in the private subnet will not be able to reach the external server. To verify if this is the case, you can log in to the NAT instance and check the outbound security group rules to ensure that traffic on port 8090 is allowed.
B. The Inbound NACL is blocking traffic on ephemeral ports: This is not a relevant issue since ephemeral ports are used for inbound traffic, not outbound traffic. Since the issue is with outbound traffic, the inbound NACL rules would not be affecting this.
C. The Inbound Security Groups are blocking traffic on port 8090: This is also not a relevant issue since inbound security group rules only affect inbound traffic. Since the issue is with outbound traffic, the inbound security group rules would not be affecting this.
D. The remote server firewall is blocking traffic: This could also be a potential issue. If the remote server's firewall is blocking traffic on port 8090, then instances in the private subnet will not be able to reach the external server. To verify if this is the case, you can try connecting to the external server from a different location or using a different network to see if you can establish a connection.
In summary, the potential issues that could be causing the instances in the private subnet to not reach the external server for updates are: