A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16.
The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a
DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp)
and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the web server security group
(WebSecGrp)?
A.
Configure Destination as DB Security group ID (DbSecGrp. for port 3306 Outbound
B.
80 for Destination 0.0.0.0/0 Outbound
C.
Configure port 3306 for source 20.0.0.0/24 InBound
D.
Configure port 80 InBound for source 20.0.0.0/16
Explanation:
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private
subnet to host the web server and DB server respectively, the user should configure that the instances in the public
subnet can receive inbound traffic directly from the internet. Thus, the user should configure port 80 with source 0.0.0.0/0in InBound. The user should configure that the instance in the public subnet can send traffic to the private subnet
instances on the DB port. Thus, the user should configure the DB security group of the private subnet (DbSecGrp) as the
destination for port 3306 in Outbound.
This doesn’t make sense….the security group should allow all outbound traffic by default so there is no need to create that rule.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
0
0
Agree with you, But as the web server needs to communicate with that DB instance, we need to configure DBsecgrp at outbound just to tell Web secgrp to route traffic fr 3306 to route to that private subnet
0
0
What is missing here is the port 80 inbound with the source being 0.0.0.0/0. All others make no sense at all.
And yes, a rule needs to be created on the DBSecGrp SG to allow the web server to communicate with it over 3306; however, the question was around the WebSecGrp SG and not DBSecGrp.
0
0
A
1
0
since the question is concerned only about the Web Security Group, the minimum configuration that should be done in that group is port80 with source 0.0.0.0/0. Since security groups are stateless( inbound rule applies to outbound and vice versa) option B should be considered first here. But both A and B are true in this case
0
0
Web Server needs 80 for inbound not outbound B is wrong ans is A
0
0
I agree. Unless if the server is meant to be making outbound connections on port 80, which is not likely in this scenario.
0
0
D
Webserver only need to specify inbound rules using port 80 from source 20.0.0.0/16. All outbound traffics are permitted by default.
0
0
A.
Configure Destination as DB Security group ID (DbSecGrp. for port 3306 Outbound
=> default is outbound 0.0.0.0/0 but you should define specific outbound to db, => right
B.
80 for Destination 0.0.0.0/0 Outbound
=> for what purpose? no need => wrong
C.
Configure port 3306 for source 20.0.0.0/24 InBound
=> questoon isnt mention this CIDR => wrong
D.
Configure port 80 InBound for source 20.0.0.0/16
=> for what purpose? => wrong
So the best suitable is A
0
0
Jaysus. SG are stateless and by default everything is locked down. You have to allow DB to talk with Webserver so open port 80 for inbound traffic from the DB subnet (outbound will be opened by the statelessnes).
Question asks clearly which is needed for THE WEB SG?
D is the right answer, come on lads. Do a little bit of study first.
0
0
A – Yes, it needs to initiate outbound 3306 connections to the DB.
B – No, it won’t initiate outbound connections on port 80, it will receive them and automatically allow response traffic back. SG’s are stateless.
C – No, it won’t accept inbound 3306 connections, it will send them outbound to the DB source SG.
D – No, why would the server need inbound port 80 from just 20.0.0.0/16? It needs to be accessible on port 80 from Internet addresses (0.0.0.0/0).
And you are absolutely wrong, SGs are STATEFUL. Come on, you should know this by now if you’re going for the SysOps Admin.
0
0
Made myself a typo; for answer B I meant “SGs are stateful”.
0
0
True, but the IP range should be a range for all (0.0.0.0/0) for port 80 with inbound rule, not the VPC range (20.0.0.0/16). So the solution is A, which opens port for the internal outbound communication to the private subnet that hosts the DB Server (Outbound rule with DB SG ID).
0
0