Allow Inbound Traffic on port 80 from 0.0.0.0/0 - EC2 Instance Security Group and NACL Configuration | AWS Certified Advanced Networking - Specialty Exam | Amazon

Resolving Access Issue to Web Server

Prev Question Next Question

Question

You have set up an EC2 Instance that hosts a web application.

You have set the following rules. Security Group Rules Allow Inbound Traffic on port 80 from 0.0.0.0/0 NACL Rules Allow Inbound Traffic on port 80 from 0.0.0.0/0 Users are complaining that they cannot access the web server.

How can you ensure that the issue gets resolved?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - D.

This is also given in the AWS Documentation.

The client that initiates the request chooses the ephemeral port range.

The range varies depending on the client's operating system.

Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000

Requests originating from Elastic Load Balancing use ports 1024-65535

Windows operating systems through Windows Server 2003 use ports 1025-5000

Windows Server 2008 and later versions use ports 49152-65535

A NAT gateway uses ports 1024-65535

For example, if a request comes into a web server in your VPC from a Windows XP client on the Internet, your network ACL must have an outbound rule to enable traffic destined for ports 1025-5000.

Options A and C are incorrect since Security groups are stateful.

Hence you don't need to open the outbound rules here.

Option B is incorrect since only the incoming traffic should accept port 80.

For more information on ephemeral ports, please refer to the below URL.

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#VPC_ACLs_Ephemeral_Ports

The given security group and NACL rules allow inbound traffic on port 80 from any source IP address (0.0.0.0/0). However, if the users are unable to access the web server, it could be due to other reasons such as network connectivity issues or application-level issues.

To troubleshoot the issue, you can perform the following steps:

  1. Check if the EC2 instance is running and accessible within the VPC. You can try to connect to the instance using SSH or RDP depending on the operating system of the instance.

  2. Check if the web server is running on the EC2 instance and listening on port 80. You can use the netstat command to check the open ports on the instance.

  3. Check if the web application is working properly. You can try to access the web application using a web browser on the instance itself.

  4. Check if there are any network connectivity issues between the users and the EC2 instance. You can use tools like ping and traceroute to diagnose the connectivity issues.

Assuming that the above steps confirm that the issue is related to the security group and NACL rules, the answer to the question is:

C. Allow Outgoing Traffic on the Security groups for ephemeral ports.

When a client initiates a connection to a web server on port 80, it uses a randomly generated port number (ephemeral port) for the client-side of the connection. By default, the ephemeral port range is between 1024 and 65535. When the web server responds, it sends the response back to the client's ephemeral port. Therefore, to allow the web server to send the response back to the client, the security group for the EC2 instance should allow outgoing traffic on ephemeral ports.

Option A and B are incorrect because allowing outgoing traffic on port 80 does not address the issue of the web server not being able to respond back to the clients on ephemeral ports.

Option D is incorrect because allowing outgoing traffic on ephemeral ports in the NACL is not necessary as outgoing traffic is allowed by default in the NACL. The NACL rules only affect incoming traffic.