Certified Security - Specialty

Sign Up Free or Log In to participate!

Troubleshooting Scenarios Quiz question no 11

"You have configured a new VPC with a private subnet and added a NAT Gateway and configured the subnet route table to route all internet traffic via the NAT Gateway. However when you try to run a yum update, none of your instances are able to reach the internet. What could be the problem?"

As per my understanding of security group rules. we can allow traffic from anywhere or form specific ip’s etc. But the out going traffic is not controlled as security groups as satefull.  

quiz is showing as option 2 is right. But I feel option 3 is right. 

please correct me if I am wrong. 

Options : 

1. Create Network ACLs allowing incoming traffic on ports 80 and 443 from

2. You have forgotten to configure an outbound Security Group rule allowing outbound HTTPS traffic to

3. You have forgotten to configure an inbound Security Group rule allowing incoming HTTPS traffic from

You have forgotten to configure an outbound Security Group rule allowing outbound HTTPS traffic to and an inbound Security Group rule allowing incoming HTTPS traffic from

1 Answers

Option 2 is correct. When you run yum update on your EC2, the instance initiates an outgoing connection to the repository. Hence you have to allow the outbound traffic to the repository (since you don’t know the ip, you set it to

Once the outbound traffic is initiated, the security group will by default allow the incoming traffic as well for that connection (stateful). Had this been a NACL, you’d have to allow outbound connections on 443 to and incoming traffic on all ephemeral ports from as well.


why option is correct?


per document Security groups are not allowed on NAT Gateway right? https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-troubleshooting-no-internet-connection


NAT Gateway Rules and Limitations A NAT gateway has the following characteristics and limitations: A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps. If you require more, you can distribute the workload by splitting your resources into multiple subnets, and creating a NAT gateway in each subnet. You can associate exactly one Elastic IP address with a NAT gateway. You cannot disassociate an Elastic IP address from a NAT gateway after it’s created. To use a different Elastic IP address for your NAT gateway, you must create a new NAT gateway with the required address, update your route tables, and then delete the existing NAT gateway if it’s no longer required. A NAT gateway supports the following protocols: TCP, UDP, and ICMP. You cannot associate a security group with a NAT gateway. You can use security groups for your instances in the private subnets to control the traffic to and from those instances. You can use a network ACL to control the traffic to and from the subnet in which the NAT gateway is located. The network ACL applies to the NAT gateway’s traffic. A NAT gateway uses ports 1024–65535. For more information, see Network ACLs. When a NAT gateway is created, it receives a network interface that’s automatically assigned a private IP address from the IP address range of your subnet. You can view the NAT gateway’s network interface in the Amazon EC2 console. For more information, see Viewing Details about a Network Interface. You cannot modify the attributes of this network interface. A NAT gateway cannot be accessed by a ClassicLink connection that is associated with your VPC. You cannot route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. A NAT gateway cannot be used by resources on the other side of these connections. A NAT gateway can support up to 55,000 simultaneous connections to each unique destination. This limit also applies if you create approximately 900 connections per second to a single destination (about 55,000 connections per minute). If the destination IP address, the destination port, or the protocol (TCP/UDP/ICMP) changes, you can create an additional 55,000 connections. For more than 55,000 connections, there is an increased chance of connection errors due to port allocation errors. These errors can be monitored by viewing the ErrorPortAllocation CloudWatch metric for your NAT gateway. For more information, see Monitoring NAT Gateways Using Amazon CloudWatch.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?