Q: 14
Application A runs on Amazon EC2 instances behind a Network Load Balancer (NLB). The EC2
instances are in an Auto Scaling group and are in the same subnet that is associated with the NLB.
Other applications from an on-premises environment cannot communicate with Application A on
port 8080.
To troubleshoot the issue, a CloudOps engineer analyzes the flow logs. The flow logs include the
following records:
ACCEPT from 192.168.0.13:59003 → 172.31.16.139:8080
REJECT from 172.31.16.139:8080 → 192.168.0.13:59003
What is the reason for the rejected traffic?
Options
Discussion
Option B Had something like this in a mock and picked B because I thought the NLB security group might be blocking on-prem traffic, not realizing it's stateless. Not totally sure though, feel free to correct me.
Nah, it's not B. D is right here. The NACLs are stateless so outbound traffic on the ephemeral port (like 59003) also needs to be allowed, or it'll get rejected on return. Security groups wouldn't cause this REJECT for the response, that's a classic NACL issue in AWS. Anyone else see practice questions with this same trick?
B, NLB security group missing rule for on-prem traffic.
Its D, but if return port was covered in the outbound NACL range this wouldn't happen.
Probably D, nice clear scenario for NACL troubleshooting.
Be respectful. No spam.
