The requirement is to prevent traffic originating from Application A from reaching Application B. Network Access Control Lists (NACLs) are the appropriate tool for this scenario as they operate at the subnet level and support explicit deny rules. By adding an outbound deny rule to the NACL associated with Application A's subnet, with the destination being the CIDR block of Application B's subnet, all traffic from A to B is blocked before it leaves the source subnet. NACLs are stateless, so this single rule effectively prevents the communication as requested.

A. Security groups do not support explicit deny rules. Furthermore, an outbound rule on Application B's security group would not block inbound traffic.

B. Security groups do not have explicit deny rules; they only support allow rules. Any traffic not matching an allow rule is implicitly denied.

C. An outbound rule on Application B's subnet NACL controls traffic leaving that subnet, not traffic entering it from Application A's subnet.

1. AWS Documentation: VPC User Guide - Network ACLs. This document states

"A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets." It also specifies under "Network ACL rules" that rules can either "ALLOW" or "DENY" traffic. The solution in option D correctly applies a DENY rule to the outbound traffic of the source subnet.

Source: AWS VPC User Guide

Section: "Control traffic to subnets using network ACLs"

Sub-section: "Network ACL rules".

2. AWS Documentation: VPC User Guide - Security groups. This document clarifies the function of security groups

stating

"A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic." Under "Security group rules

" it specifies

"Security group rules are always permissive; you can't create rules that deny access." This directly invalidates options A and B.

Source: AWS VPC User Guide

Section: "Control traffic to resources using security groups"

Sub-section: "Security group rules".

3. AWS Documentation: VPC User Guide - Compare security groups and network ACLs. This comparison table explicitly highlights the key differences. It shows that Security Groups operate at the instance level and support "Allow rules only

" while Network ACLs operate at the subnet level and support "Allow and deny rules." This confirms that a NACL is the correct tool for a deny action and that applying it to the source subnet's outbound traffic (as in option D) is the correct implementation.

Source: AWS VPC User Guide

Section: "Control traffic to resources using security groups"

Sub-section: "Compare security groups and network ACLs".