Questions 43 to 45

Explanations for questions 43 to 45

We'll cover the following

- Question 43
- Question 44
- Question 45

Question 43

A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet. The subnet was created with default ACL settings. The web servers must be accessible only to customers on an SSL connection. The database should only be accessible to web servers in a public subnet.

Which solution meets these requirements without impacting other running applications? (Select TWO)

Create a DB server security group that allows MySQL port 3306 inbound, and specify the source as a web server security group.
Create a web server security group that allows HTTPS port 443 inbound traffic from Anywhere (0.0.0.0/0), and apply it to the web servers.
Create a network ACL on the web server’s subnet, allow HTTPS port 443 inbound, and specify the source as 0.0.0.0/0.
Create a DB server security group that allows the HTTPS port 443 inbound, and specify the source as a web server security group.
Create a network ACL on the DB subnet, allow MySQL port 3306 inbound for web servers, and deny all outbound traffic.

Correct Answer: 1, 2

Explanation: A VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic. Custom network ACLs deny everything inbound and outbound by default, but in this case, a default network ACL is being used. Inbound connections to web servers will be coming in on port 443 from the Internet, so creating a security group to allow this port from 0.0.0.0/0 and applying it to the web servers will allow this traffic.

CORRECT: “Create a DB server security group that allows MySQL port 3306 inbound, and specify the source as a web server security group.” is the correct answer.

CORRECT: “Create a web server security group that allows HTTPS port 443 inbound traffic from Anywhere (0.0.0.0/0), and apply it to the web servers.” is the second correct answer.

INCORRECT: “Create a network ACL on the web server’s subnet, allow HTTPS port 443 inbound, and specify the source as 0.0.0.0/0.” is incorrect as a default network ACL will already allow this traffic.

INCORRECT: “Create a DB server security group that allows the HTTPS port 443 inbound, and specify the source as a web server security group.” is incorrect. The MySQL DB will be listening on port 3306. Therefore, the security group that is applied to the DB servers should allow 3306 inbound from the web server’s security group.

INCORRECT: “Create a network ACL on the DB subnet, allow MySQL port 3306 inbound for web servers, and deny all outbound traffic.” is incorrect as a default network ACL will already allow this traffic.

References:

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.

Introduction

Getting Started

Compute

Storage

AWS Database

Migration

Networking and Content Delivery

Management Tools

Media Services

Analytics

AWS Security, Identity, & Compliance

Application Integration

AWS Desktop & App Streaming

Wrapping Up

Practice Exam 1

Practice Exam 1 Explanations

Practice Exam 2

Practice Exam 2 Explanations

Practice Exam 3

Practice Exam 3 Explanations

Practice Exam 4

Practice Exam 4 Explanations

Practice Exam 5

Practice Exam 5 Explanations

Practice Exam 6

Practice Exam 6 Explanations

Questions 43 to 45

Question 43