An application running on EC2 instance must call and external web service via TLS(443). instance is in public subnet.
Which below configuration allow application to function and minimize exposure of the instance.
A] Outbound NACL on port 443
B] Outbound NACL on port 443 and inbound on ephemeral ports
C] Outbound & Inbound NACL on port 443
D]Security Group with outbound 443
E]Security Group with outbound 443 and incoming on ephemeral port
F]Security Group with inbound & outbound on port 443
6 Answers
B. SG is stateful and so would allow incoming on 443 also. Ephemeral inbound port needed for the response from the web service
I think I tripped up on this during the exam. Looking at: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-recommended-nacl-rules.html I believe "C" is the most correct answer based on the recommendations in the AWS Documentation. AWS recommends having both 443 inbound and open bound allowed.
Choice A won’t work because communicating with a web service requires two way for a request and response.
Choice B – may be a right answer, but not the most right. AWS also recommend the ephemeral ports are be allowed in both directions in the recommendations – but never one or the other as implied in choice "B"
Choice D – Incorrect – SG are stateful so you cannot have one direction without the other.
Choice E – Incorrect – see above
Choice F – Less right, since a SG does control both directions, but not the "most correct" since SG are stateful so its just meant to allow a specific port.
Hi all, my 2 cents:
A] Outbound NACL on port 443 -This alone won’t work because NACLS are stateless
B] Outbound NACL on port 443 and inbound on ephemeral ports – This will work but it won’t ‘minimize’ exposure
C] Outbound & Inbound NACL on port 443 – I don’t think this is correct since most services do not reply back using the same ports…I think 443 is not correct for the inbound response and it should be ephemeral since the external web service is not going to reply back using port 443, it will use ephemeral ports
D]Security Group with outbound 443 – This will work – I know SGs are stateful and as such there is not a sense of configuring an outbound only rule, but check the console, we either configure a rule as outbound or inbound…depending on the direction of traffic flow, so I think this is a valid answer. And is it also going to minimize exposure since it won’t open up a large range of ephemeral ports. So I think this is the best answer.
E]Security Group with outbound 443 and incoming on ephemeral port – SGs are stateful, no need to configure both inbound AND outbound
F]Security Group with inbound & outbound on port 443 – SGs are stateful, no need to configure both inbound AND outbound
So I think D is the correct answer – but happy to be corrected if I’m wrong!
PS there is a bit of discussion here about the use of ephemeral ports:
and here as well:
https://help.acloud.guru/hc/en-us/articles/115001460933-Ephemeral-ports-and-network-security
You need both NACL and SG to work hand in hand for access – so both NACL and SG must allow. SG is stateful so only outbound is needed – SG 443 Out. NACLs are stateless so both inbound and outbound must be allowed. A**ll ephemeral ports Inbound must be allowed (because response can come back on any port), and** outbound NACL 443 must be allowed.
So none of the answers are correct if you have to pick only 1.
You have to pickup 2 answers – B + D
B] Outbound NACL on port 443 and inbound on ephemeral ports
D] Security Group with outbound 443
Sam T states the answer in the most correct manner. This question is on Whizlabs.
Doesn’t an SG being stateful imply ‘E’ anyway because the outbound will be on 443 and the returning traffic will be on an ephemeral port?
No, SG stateful applies only to SG not to NACL.