Accessing New Service in VPC: Troubleshooting AWS Networking Issues

Troubleshooting AWS Networking Issues

Prev Question Next Question

Question

Web servers deployed in a VPC are accessed by the external vendor for routine maintenance & applying necessary security patches.

Recently a new application is deployed on the web servers launched in the new CIDR range.

Security Groups & NACL are allowing all required ports in inbound direction as per standard security guidelines.

Still, the vendor is not able to access the new service from the external cloud.

Post checking the VPC routing table, no routing issues were found to this new subnet from the external network.

Which of the following can enable access to this service from the vendor network?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

The problem in this scenario is that the vendor is not able to access the new service deployed on the web servers launched in the new CIDR range in the VPC. The Security Groups and Network ACLs (NACLs) are allowing all required ports in the inbound direction, and there are no routing issues in the VPC routing table.

To enable access to the new service from the vendor network, we need to identify the potential issue with Security Groups and NACLs.

Option A suggests making sure that Security Groups have the same inbound and outbound rules. While this is generally a good practice for security groups, it does not address the issue in this scenario. The problem is with inbound traffic not being allowed, so allowing outbound traffic would not help.

Option B suggests modifying the NACL to move the allow ports list to the lower-numbered rule so that these ports will be allowed. This option is incorrect because NACLs are evaluated in a top-down order based on the rule number, and the first rule that matches the traffic is applied. Therefore, the lower-numbered rule will not necessarily allow the traffic if a higher-numbered rule blocks it.

Option C suggests making sure that Security Groups are attached to the primary network interface of the server instance. This option is also incorrect because Security Groups are associated with instances and not with network interfaces.

Option D suggests modifying the NACL outbound rules to allow traffic to ephemeral ports (destination ports). This option is also incorrect because the problem is with inbound traffic, not outbound traffic.

In this scenario, we need to modify the NACL inbound rules to allow traffic from the vendor network to the new CIDR range. To do so, we need to identify the IP address range of the vendor network and add a new inbound rule to the NACL that allows traffic from that IP address range to the CIDR range of the new service.

Therefore, the correct answer is not provided in the given options. We need to modify the NACL inbound rules to allow traffic from the vendor network to the new CIDR range.