Question 026 | AWS Certified Advanced Networking

You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027 1432917082 ACCEPT OK 2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094 1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?

A. The inbound network access control list is blocking the traffic
B. The outbound network access control list is blocking the traffic
C. The inbound security group is blocking the traffic.
D. The outbound security group is blocking the traffic.

Correct Answer: B

Explanation:

Explanation: An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance. A REJECT record for the response ping that the network ACL denied. If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance.
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

AWS Certified Advanced Networking – Specialty ANS-C00

Tag: Question 026

AWS Certified Advanced Networking – Specialty ANS-C00 – Question026