A SysOps administrator is troubleshooting a VPC with public and private subnets that leverage custom network ACLs. Instances in the private subnet are unable to access the internet. There is an internet gateway attached to the public subnet. The private subnet has a route to a NAT gateway that is also attached to the public subnet. The Amazon EC2 instances are associated with the default security group for the VPC.
What is causing the issue in this scenario?
The problem is likely due to a network ACL on the private subnet set to deny all outbound traffic. Network ACLs are stateless and apply to all traffic entering and leaving the subnet. If the network ACL is configured to deny all outbound traffic, instances in the private subnet would be unable to access the Internet through the NAT gateway, even though the route to the NAT gateway is correctly set up.
There is a network ACL on the private subnet set to deny all outbound traffic. Network ACLs (Access Control Lists) are stateless and operate at the subnet level. If there is a network ACL on the private subnet that is configured to deny all outbound traffic, it would prevent instances in the private subnet from accessing the internet through the NAT gateway.
It is A, default security groups don't block anything so it can only be in ACL.
A is the best one.
Agree with LudiVoss
No. It's C. In this sinario, there are 2 cases. 1. When accessing from outside: Blocked by default security group 2. When taking from inside: Default security group did not succeed. There is Ado Since 2 does not correspond to anything, it should be considered as 1 only, so C is appropriate. I understood that using the custom network ACL meant that the firewall was allowed. And the default security group originally had no settings. So I had to allow inbound in the security group. So I chose C. Even if the custom network ACL is incorrect and is reset, access is not possible if the security group does not allow it.