Your company has a set of Instances that host a web-based application in a subnet of a VPC.
There are several similar types of requests coming from an IP address of 52.67.89.10
Your IT Security department has requested that all subsequent requests from this IP address should be blocked.
How can you achieve this?
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: C.
Since the request is an Inbound request from an IP,it must be stopped at the subnet level.
So here, you will add a rule to the Network Access control list.
Option A is incorrect because the rule needs to be added at the subnet level.
Option B is incorrect because this is an invalid CIDR range.
Option D is incorrect because it should be a rule for Inbound traffic.
For more information on Network ACLs, please refer to the below URL-
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.htmlThe correct answer is C. Create an Inbound Rule for the NACL which will deny traffic coming from 52.67.89.10/32.
Explanation:
A Network Access Control List (NACL) is an additional layer of security that operates at the subnet level. NACLs are stateless and evaluate rules in sequential order. Therefore, when you are looking to block traffic from a specific IP address, you must create a rule in the inbound direction because the traffic is coming from an external IP address.
Option A, creating an Outbound rule for the Security Group for the EC2 Instances, is incorrect because it would block all outgoing traffic to that IP address, whereas the requirement is to block incoming traffic from that IP address.
Option B, creating an Inbound Rule for the NACL which will deny traffic coming from 52.67.89.10/0, is incorrect because the /0 at the end of the IP address range means that all IP addresses will be blocked, not just 52.67.89.10.
Option D, creating an Outbound Rule for the NACL which will deny traffic coming from 52.67.89.10/32, is incorrect because outbound rules only control traffic leaving the subnet, whereas the requirement is to block incoming traffic from a specific IP address.
Therefore, the correct answer is C, create an Inbound Rule for the NACL which will deny traffic coming from 52.67.89.10/32. This rule will block all traffic coming from the specific IP address 52.67.89.10.