EC2 Instance Web Server Troubleshooting

Possible Cause for Web Server Inaccessibility

Prev Question Next Question

Question

You have configured a web server listening on port 80 on an EC2 Instance.

You are trying to reach the home page of the web server but are not able to do so.

You've checked that the Internet gateway is attached to the VPC , and the route tables have been modified accordingly.

You have also attached an Elastic IP address to the EC2 Instance.

Which of the following could be the cause for the underlying issue.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

If you have a DENY rule as shown below for the port traffic which is lower in precedence for the NACL, this could also be a reason as to why the traffic is being blocked.

For more information on NACL, please visit the below link:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Summary Inbound Rules Outbound Rules Subnet Associations Tags

Allows inbound traffic. Because network ACLs are stateless, you must create inbound and outbound rules.

View: | Allrules Y

Rule # Type Protocol PortRange Source Allow/ Deny
95 HTTP (80) TCP (6) 80 0.0.0.0/0 DENY
400 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW

ALL Traffic ALL ALL 0.0.0.0(0 DENY

In this scenario, the web server has been configured on an EC2 instance and is listening on port 80. The user is unable to access the home page of the web server despite having confirmed that the Internet gateway is attached to the VPC, the route tables have been modified, and an Elastic IP address has been attached to the EC2 instance. We need to identify the cause of this issue from the given options.

A. Check the Outbound Security Group rules, this could be denying the traffic on port 80. Outbound Security Group rules govern the traffic leaving an EC2 instance. Since the user is trying to reach the home page of the web server, outbound rules would not be a concern here. Hence, this option can be ruled out.

B. Check the Inbound Rules for the NACL, this could be denying the traffic Network Access Control Lists (NACLs) are stateless and control the traffic entering or leaving a subnet. Inbound rules could be blocking the incoming traffic, hence we need to check the Inbound Rules for the NACL. It is possible that a rule is blocking the incoming traffic on port 80, which could be causing the issue. Therefore, this option needs to be explored further.

C. You need to have a public IP defined for the EC2 Instance, since the Elastic IP will not work. An Elastic IP address is a public IPv4 address associated with an AWS account. It is possible to associate an Elastic IP address with an EC2 instance. Elastic IP addresses help in masking the failure of an instance or software by rapidly remapping the address to another instance in the account's VPC. Hence, this option can be ruled out as an Elastic IP address is already associated with the EC2 instance.

D. Change the Internet gateway as there could be an issue with the Internet gateway. The Internet Gateway is a horizontally scalable, redundant, and highly available VPC component that allows communication between instances in the VPC and the Internet. If there was an issue with the Internet gateway, the user would not have been able to connect to any resource outside the VPC. Since the user is able to connect to other resources outside the VPC, it is unlikely that the issue is related to the Internet Gateway. Therefore, this option can be ruled out.

In summary, option B (check the Inbound Rules for the NACL) could be the cause of the issue as inbound rules may be blocking the incoming traffic on port 80.