1

I came across the following scenario question in my AWS study:

You have a business-to-business web application running in a VPC consisting of an Application Load Balancer (ALB), application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? Choose 2 answers

Options:

A.  Configure web server VPC security groups to allow traffic from your customers’ IPs
B.  Configure your web servers to filter traffic based on the ALB’s "X-forwarded-for" header
C.  Configure your web servers to filter traffic based on the ALB’s "Proxy Protocol" header
D.  Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
E.  Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic

Correct Answer

B. Configure your web servers to filter traffic based on the ALB’s "X-forwarded-for" header
D. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic

My question is Why E is not an accepted answer here?

Thank you very much, any enlightening is appreciated.

mdivk
  • 3,545
  • 8
  • 53
  • 91

1 Answers1

2

I believe the E is invalid because of the second portion of the answer "and deny all outbound traffic" . NACL are stateless in nature, what it means is that the inbound traffic opened in NACL does not allow the outgoing traffic by default for a request. So if your web-server recieves a request on port 80 it needs to respond back using the ephermal port, which are in the range of 1024-65535. So your NACL must have an outbound ALLOW rule to send the response on those port.

This is different from security groups which are stateful in nature and don't require an explicit ALLOW for the ephermal ports.

For further reading, search for stateless in the below documentaton to get a better understanding if I couldn't explain here:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

Juned Ahsan
  • 67,789
  • 12
  • 98
  • 136
  • Thanks. BUT, can we set Deny rules in Security Group? why D is a valid option here? – mdivk Nov 29 '19 at 01:50
  • Because security group DENY does not affect the ephermal ports. Security group will allow the response on a ephermal port if it allows the request on an incoming port. – Juned Ahsan Nov 29 '19 at 01:53
  • Thanks. My question is there is no DENY rules you can set in security groups, here is the link: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html – mdivk Nov 29 '19 at 17:01