AWS Certified Advanced Networking - Specialty | Configuring Security Group for Git Repository Access

Configuring Security Group for Git Repository Access

Prev Question Next Question

Question

Your application server instances reside in the private subnet of your VPC.

These instances need to access a Git repository on the Internet.

You create a NAT gateway in the public subnet of your VPC.

The NAT gateway can reach the Git repository, but instances in the private subnet cannot.

You confirm that a default route in the private subnet route table points to the NAT gateway.

How would you configure the security group of your application server instances to download patches from the GIT repository?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B.

The traffic leaves the instance destined for the NAT Gateway; at this point, the security group must allow it through.

The route then directs that traffic (based on the IP) to the GIT repository.

Option A is wrong because it removes the private aspect of the subnet and would have no effect on the blocked traffic anyway.

Option C is wrong because the problem is that outgoing traffic is not getting to the NAT gateway.

Option D is wrong because to allow outgoing traffic to the Git repository requires an outgoing security group rule.

For more information on security groups, please refer to the below link:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html

The correct answer to the question is option B: Configure an outbound rule on the application server instance security group for the NAT Gateway.

Explanation:

The scenario described in the question involves an architecture in which an Amazon VPC is used to host private subnet instances that need access to a Git repository on the internet. To enable communication between the private subnet instances and the internet, a NAT gateway is created in the public subnet. The NAT gateway provides a way for private subnet instances to access the internet, while keeping the instances secure by hiding their private IP addresses.

In order for the application server instances in the private subnet to download patches from the Git repository, their security group must be configured to allow outbound traffic to the internet via the NAT gateway. This can be achieved by creating an outbound rule on the security group that allows traffic to the IP address of the NAT gateway.

Option A is not correct because assigning public IP addresses to the instances and routing 0.0.0.0/0 to the internet gateway would bypass the NAT gateway, which is responsible for securely allowing private subnet instances to access the internet.

Option C is not correct because network ACLs are used to control traffic flow at the subnet level, not at the instance level. In this scenario, network ACLs are not required because the NAT gateway is already allowing traffic from the private subnet instances to the internet.

Option D is not correct because an inbound rule on the security group is not necessary for outbound traffic. Inbound rules control traffic coming into an instance, while outbound rules control traffic leaving an instance.

Therefore, the correct answer is option B: Configure an outbound rule on the application server instance security group for the NAT Gateway.