A user has created a VPC with public and private subnets.
The VPC has CIDR 20.0.0.0/16
The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24
The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306)
The user is configuring a security group of the NAT instance.
Which of the below mentioned entries is not required for the NAT security group?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - C.
As per aws below are the recommended rules for a NAT instance.
For information on NAT security , please visit the link:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.htmlThe NAT instance in a VPC is used to provide internet connectivity to instances in the private subnet. To achieve this, the NAT instance should be placed in a public subnet, and a route table should be configured to route internet-bound traffic from the private subnet instances to the NAT instance.
In this scenario, the user has created a VPC with a public subnet (20.0.0.0/24) and a private subnet (20.0.1.0/24). The user plans to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The NAT instance should be placed in the public subnet, and its security group should be configured to allow traffic between the private and public subnets.
Let's review the options provided:
A. For Inbound allow Source: 20.0.1.0/24 on port 80 This rule allows incoming traffic from the private subnet (20.0.1.0/24) to the NAT instance on port 80. This rule is required to allow the private subnet instances to access the internet through the NAT instance.
B. For Outbound allow Destination: 0.0.0.0/0 on port 80 This rule allows outgoing traffic from the NAT instance to any destination on port 80. This rule is required to allow the NAT instance to access the internet to perform NAT.
C. For Inbound allow Source: 20.0.0.0/24 on port 80 This rule allows incoming traffic from the public subnet (20.0.0.0/24) to the NAT instance on port 80. This rule is not required because the NAT instance is not serving any service on port 80 in the public subnet.
D. For Outbound allow Destination: 0.0.0.0/0 on port 443 This rule allows outgoing traffic from the NAT instance to any destination on port 443. This rule is not required for the NAT security group because the NAT instance is not serving any service on port 443.
Therefore, the correct answer is C. For Inbound allow Source: 20.0.0.0/24 on port 80.