Certified Security - Specialty

Sign Up Free or Log In to participate!

Incorrect answer in Data Protection with VPCs Quiz?

The question asks:

Which of the following would you use to block inbound network traffic from a known IP address range from reaching your VPC subnet?


VPC Flow Log

Network ACL

Security Group

The ‘correct’ answer is listed as ‘Network ACL’, but I would argue that this is evaluated within the VPC, so at that point the VPC has been reached.  According to https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html I would argue that the AWS WAF would be the correct answer and that IP addresses can be configured here to be blocked, and thus blocked from reaching the VPC, and blocked from any VPC subnet.  Am I reading it wrong?

1 Answers

The question is about VPC Subnet, so focus on subnet, not VPC, so NACL is clearly the correct and only choice.


I agree with Claude on this. "As a packet comes to the subnet, we evaluate it against the inbound rules of the ACL that the subnet is associated with" https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?