Examice

Exam SAP-C01 All QuestionsBrowse all questions from this exam

Question 900

A company has implemented a new security requirement. According to the new requirement, the company must scan all traffic from corporate AWS instances in the company's VPC for violations of the company's security policies. As a result of these scans, the company can block access to and from specific IP addresses.

To meet the new requirement, the company deploys a set of Amazon EC2 instances in private subnets to serve as transparent proxies. The company installs approved proxy server software on these EC2 instances. The company modifies the route tables on all subnets to use the corresponding EC2 instances with proxy software as the default route. The company also creates security groups that are compliant with the security policies and assigns these security groups to the EC2 instances.

Despite these configurations, the traffic of the EC2 instances in their private subnets is not being properly forwarded to the internet.

What should a solutions architect do to resolve this issue?

Disable source/destination checks on the EC2 instances that run the proxy software.

Add a rule to the security group that is assigned to the proxy EC2 instances to allow all traffic between instances that have this security group. Assign this security group to all EC2 instances in the VPC.

Change the VPC's DHCP options set. Set the DNS server options to point to the addresses of the proxy EC2 instances.

Assign one additional elastic network interface to each proxy EC2 instance. Ensure that one of these network interfaces has a route to the private subnets. Ensure that the other network interface has a route to the internet.

Correct Answer: A

To address the issue of traffic not being properly forwarded to the internet, it is essential to disable source/destination checks on the EC2 instances running the proxy software. This is because these proxy instances need to forward packets that neither originate from nor are destined to themselves. By default, EC2 instances can only send and receive traffic for their own specific IP addresses. Disabling the source/destination check allows these instances to route traffic properly, fulfilling the role of a NAT or proxy server.

Discussion

Ni_yotOption: A

This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable source/destination checks on the NAT instance

JohnPi

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

WhyIronManOption: A

A. Disable source/destination checks on the EC2 instances that run the proxy software.