AWS VPC Subnet Security Layer Options

Security Layer for Controlling Traffic in and out of VPC

Question

Which of the following is an optional Security layer attached to a subnet within a VPC for controlling traffic in & out of the VPC?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - D.

Network ACL can be additionally configured on subnet level to control traffic in & out of the VPC.Option A is incorrect.

VPC Flow Logs will capture information about IP traffic in & out of VPC.

This will not be used for controlling purposes.

Option B is incorrect.

Web Application Firewall (WAF) can be configured to protect web applications from common security threats.

It can be deployed on devices such as Amazon CloudFront, Application Load Balancer and Amazon API Gateway.

Option C is incorrect.

Security Groups are attached at instance level & not at the subnet level.

For more information on security within VPC, refer to the following URL:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison

The correct answer is D. Network ACL.

Network ACL stands for Network Access Control List. It is an optional security layer that can be attached to a subnet within a Virtual Private Cloud (VPC) in AWS. The purpose of a Network ACL is to control traffic in and out of the subnet.

A Network ACL acts as a firewall at the subnet level, controlling inbound and outbound traffic by allowing or denying traffic based on rules that you define. It is stateless, which means that each rule applies to both inbound and outbound traffic separately. In other words, if you want to allow traffic to enter a subnet, you need to create both an inbound rule and an outbound rule.

A Network ACL operates at the subnet level, which means that it can control traffic between instances in different subnets within the same VPC. However, it cannot control traffic between different VPCs or between a VPC and the internet. To control traffic between different VPCs or between a VPC and the internet, you need to use a different security layer, such as a VPN connection, an internet gateway, or a NAT gateway.

In contrast, Security Groups are another security layer that are attached to instances and control inbound and outbound traffic at the instance level. They are stateful, which means that they automatically allow return traffic that is related to outbound traffic. Web Application Firewall is also a security layer that is used to protect web applications from common web exploits.

VPC Flow Logs is a monitoring feature that captures information about the IP traffic going to and from network interfaces in a VPC. It can be used to troubleshoot network connectivity issues, monitor the traffic flow, and detect security threats.

Therefore, the correct answer is D. Network ACL, as it is an optional security layer that can be attached to a subnet within a VPC for controlling traffic in and out of the VPC.