"You have configured a new VPC with a private subnet and added a NAT Gateway and configured the subnet route table to route all internet traffic via the NAT Gateway. However when you try to run a yum update, none of your instances are able to reach the internet. What could be the problem?"
As per my understanding of security group rules. we can allow traffic from anywhere or form specific ip’s etc. But the out going traffic is not controlled as security groups as satefull.
quiz is showing as option 2 is right. But I feel option 3 is right.
please correct me if I am wrong.
1. Create Network ACLs allowing incoming traffic on ports 80 and 443 from 0.0.0.0/0
2. You have forgotten to configure an outbound Security Group rule allowing outbound HTTPS traffic to 0.0.0.0/0
3. You have forgotten to configure an inbound Security Group rule allowing incoming HTTPS traffic from 0.0.0.0/0
You have forgotten to configure an outbound Security Group rule allowing outbound HTTPS traffic to 0.0.0.0/0 and an inbound Security Group rule allowing incoming HTTPS traffic from 0.0.0.0/0
Option 2 is correct. When you run yum update on your EC2, the instance initiates an outgoing connection to the repository. Hence you have to allow the outbound traffic to the repository (since you don’t know the ip, you set it to 0.0.0.0/0).
Once the outbound traffic is initiated, the security group will by default allow the incoming traffic as well for that connection (stateful). Had this been a NACL, you’d have to allow outbound connections on 443 to 0.0.0.0/0 and incoming traffic on all ephemeral ports from 0.0.0.0/0 as well.