AWS Certified Advanced Networking - Specialty Exam: NAT Security Group Configuration

Which entries are not required for the NAT security group in AWS?

Prev Question Next Question

Question

A user has created a VPC with public and private subnets.

The VPC has CIDR 20.0.0.0/16

The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24

The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306)

The user is configuring a security group of the NAT instance.

Which of the below mentioned entries is not required for the NAT security group?

Answers

A. For Inbound allow Source: 20.0.1.0/24 on port 80

B. For Outbound allow Destination: 0.0.0.0/0 on port 80

C. For Inbound allow Source: 20.0.0.0/24 on port 80

D. For Outbound allow Destination: 0.0.0.0/0 on port 443

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - C.

As per aws below are the recommended rules for a NAT instance.

For information on NAT security , please visit the link:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

NATSG: Recommended Rules

Inbound
Source

10.0.1.0/24

10.0.1.0/24

Public IP address range of
your home network

Outbound

Destination

0.0.0.0/0

0.0.0.0/0

Protocol

ToP

ToP

ToP

Protocol

ToP

ToP

Port
Range

80

443

22

Port
Range

80
443

Comments
Allow inbound HTTP traffic from servers in the private
subnet

Allow inbound HTTPS traffic from servers in the private
subnet

Allow inbound SSH access to the NAT instance from your
home network (over the Internet gateway)

Comments

Allow outbound HTTP access to the Internet

Allow outbound HTTPS access to the Internet,

The NAT instance in a VPC is used to provide internet connectivity to instances in the private subnet. To achieve this, the NAT instance should be placed in a public subnet, and a route table should be configured to route internet-bound traffic from the private subnet instances to the NAT instance.

In this scenario, the user has created a VPC with a public subnet (20.0.0.0/24) and a private subnet (20.0.1.0/24). The user plans to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The NAT instance should be placed in the public subnet, and its security group should be configured to allow traffic between the private and public subnets.

Let's review the options provided:

A. For Inbound allow Source: 20.0.1.0/24 on port 80 This rule allows incoming traffic from the private subnet (20.0.1.0/24) to the NAT instance on port 80. This rule is required to allow the private subnet instances to access the internet through the NAT instance.

B. For Outbound allow Destination: 0.0.0.0/0 on port 80 This rule allows outgoing traffic from the NAT instance to any destination on port 80. This rule is required to allow the NAT instance to access the internet to perform NAT.

C. For Inbound allow Source: 20.0.0.0/24 on port 80 This rule allows incoming traffic from the public subnet (20.0.0.0/24) to the NAT instance on port 80. This rule is not required because the NAT instance is not serving any service on port 80 in the public subnet.

D. For Outbound allow Destination: 0.0.0.0/0 on port 443 This rule allows outgoing traffic from the NAT instance to any destination on port 443. This rule is not required for the NAT security group because the NAT instance is not serving any service on port 443.

Therefore, the correct answer is C. For Inbound allow Source: 20.0.0.0/24 on port 80.

Prev Question Next Question