AWS Certified Advanced Networking - Specialty: Exam ANS-C01 | Amazon

Standard Solution for TCP Port Management in AWS VPCs

Prev Question Next Question

Question

A pharma company is deploying multiple web servers on EC2 instances in multiple VPCs.

The security team has provided separate IP pools and TCP ports to reach each of these web servers based on the servers' functions and their access requirements.

The security team needs a standard solution to allow and block some of these TCP ports for their current and future deployments.

Which of the following options can be used to meet this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer - A.

NACL can be used at the subnet level to block or allow IP / Ports.

Security Groups can be used at the instance level to allow a specific IP address or ports to the instance.

Security Groups cannot be used to deny traffic.

In the above, since all the servers have different IP Pools & Ports to be allowed, Security Groups can be used per server instance.

NACL can be used to deny all unwanted ports which will be applied at the subnet level & will apply to all server instances in that subnet.

Options B & C are incorrect as Security Groups cannot be used to deny traffic.

Option D is incorrect as Launching an instance in a separate subnet is not a feasible option.

For more information on using Security Groups & NACL, refer to the following URLs.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

In this scenario, a pharma company is deploying multiple web servers on EC2 instances in multiple VPCs, and the security team has provided separate IP pools and TCP ports to reach each of these web servers based on the servers' functions and their access requirements. The security team needs a standard solution to allow and block some of these TCP ports for their current and future deployments. To meet this requirement, the following options can be considered:

A. Create separate Security Groups for each instance & assign them to each instance. Use NACL to deny TCP ports to all instances at the subnet level. This option suggests creating separate Security Groups for each instance and assigning them to each instance. NACLs can be used to deny TCP ports to all instances at the subnet level. This solution can work, but it requires maintaining separate Security Groups for each instance, which can become cumbersome to manage as the number of instances grows.

B. Launch an instance in separate subnet & apply separate NACL to each instance. Use Security Groups to deny TCP ports to all instances. This option suggests launching an instance in a separate subnet and applying separate NACLs to each instance. Security Groups can be used to deny TCP ports to all instances. This solution can work, but it requires launching a separate instance in a separate subnet for each web server, which can lead to higher costs and management overhead.

C. Create separate Security Groups for each instance & assign them to each instance. Use Security Groups to deny TCP ports to all instances in all subnets. This option suggests creating separate Security Groups for each instance and assigning them to each instance. Security Groups can be used to deny TCP ports to all instances in all subnets. This solution can work well as it allows for centralized management of security rules and avoids the need to create separate subnets for each instance.

D. Launch an instance in a separate subnet & apply separate NACL to each instance. Use NACL to deny TCP ports to all instances. This option suggests launching an instance in a separate subnet and applying separate NACLs to each instance. NACLs can be used to deny TCP ports to all instances. Similar to option B, this solution requires launching a separate instance in a separate subnet for each web server, which can lead to higher costs and management overhead.

In summary, option C is the best solution for the pharma company's requirement as it allows for centralized management of security rules and avoids the need to create separate subnets or instances for each web server.