AWS Certified Advanced Networking - Specialty Exam: Answer to 'ANS-C01' Question

AWS Networking - NACL Configuration for Web Server Hosting on EC2 Instance

Prev Question Next Question

Question

You have a web server hosted on an EC2 Instance.

The subnet hosting the EC2 Instance has the following NACL attached INBOUND RULES: Rule # Type Protocol Port Range Source Allow / Deny 100 HTTP(80) TCP(6) 80 0.0.0.0/0 ALLOW 101 HTTPS(443) TCP(6) 443 0.0.0.0/0 ALLOW OUTBOUND RULES: Rule # TYPE Protocol Port Range Destination Allow / Deny 200 HTTP(80) TCP(6) 80 0.0.0.0/0 ALLOW 201 HTTPS(443) TCP(6) 443 0.0.0.0/0 DENY 1000 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW * ALL Traffic ALL ALL 0.0.0.0/0 DENY What happens when a request comes from the internet to the webserver on port 80?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - A.

Rules are evaluated starting with the lowest numbered rule.

As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that may contradict it.

Hence when the request comes from the internet , Rule no 100 will match for the port 80 request.

As a packet comes to the subnet, we evaluate it against the ingress rules of the ACL the subnet is associated with (starting at the top of the list of rules, and moving to the bottom)

Here's how the evaluation goes if the packet is destined for the SSL port (443)

The packet doesn't match the first rule evaluated (rule 100)

It does match the second rule (110), which allows the packet into the subnet.

If the packet had been destined for port 139 (NetBIOS), it doesn't match any of the rules, and the * rule ultimately denies the packet.

You might want to add a DENY rule in a situation where you legitimately need to open a wide range of ports, but there are certain ports within that range you want to deny.

Just make sure to place the DENY rule earlier in the table than the rule that allows the wide range of port traffic.

For more information on NACL's please see the below link:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Inbound

Rule
#

100

110

120

130

140

Type Protocol Port
Range
HTTP TCP 80
HTTPS TCP 443
SSH TCP 22
RDP TCP 3389
Custom TCP 32768-
TCP 65535

Source Allow/Deny Comments

0.0.0.0/0 ALLOW

0.0.0.0/0 ALLOW

192.0.2.0/24 ALLOW

192.0.2.0/24 ALLOW

0.0.0.0/0 ALLOW

Allows inbound HTTP traffic from any IPv4
address.

Allows inbound HTTPS traffic from any IPv4-
address.

Allows inbound SSH traffic from your home
network's public IPv4 address range (over the
Internet gateway).

Allows inbound ROP traffic to the web servers
from your home network's public IPv4 address
range (over the Internet gateway).

Allows inbound return IPv4 traffic from the
Internet (that is, for requests that originate in the
subnet).

When a request comes from the internet to the webserver on port 80, the Network Access Control List (NACL) attached to the subnet hosting the EC2 instance will be evaluated to determine whether the request should be allowed or denied.

The NACL has inbound and outbound rules that specify which traffic is allowed or denied to enter or leave the subnet. The inbound rule #100 matches the request, which allows HTTP traffic (protocol TCP(6)) on port 80 from any source IP address (0.0.0.0/0) to enter the subnet. Therefore, the request will be allowed because of Rule no. 100.

Outbound rule #201, on the other hand, denies HTTPS traffic (protocol TCP(6)) on port 443 to leave the subnet to any destination IP address (0.0.0.0/0). However, this rule does not affect inbound traffic coming from the internet to the webserver.

Outbound rule #200 allows HTTP traffic (protocol TCP(6)) on port 80 to leave the subnet to any destination IP address (0.0.0.0/0). This rule does not affect inbound traffic coming from the internet to the webserver.

The default inbound rule #1000 allows all traffic (all protocols and port ranges) from any source IP address (0.0.0.0/0) to enter the subnet. This rule does not affect the incoming HTTP traffic on port 80, as it has already been allowed by rule #100.

The default outbound rule * denies all traffic (all protocols and port ranges) to leave the subnet to any destination IP address (0.0.0.0/0). This rule does not affect the outgoing HTTP traffic on port 80, as it has already been allowed by rule #200.

Therefore, the correct answer is A. The request will be allowed because of Rule no. 100 which matches the request.