Examice

Exam 1z0-1072-23 All QuestionsBrowse all questions from this exam

Question 9

A recently hired network administrator has been given the task of removing SSH permissions from all compute instances in the company's tenancy. She finds all Virtual Cloud Networks (VCNs) in the tenancy using Tenancy Explorer. She removes port 22 from the Security Lists in all VCNs. After she completes the task, the very first compute instance that she tests SSH against, allows her to still SSH into it. Why is that?

The VCN where that compute instance resides still has an Internet Gateway.

The VCN where that compute instance resides still has a route rule that allows port 22.

The VNIC of that compute instance is attached to a Network Security Group (NSG) that has a stateful ingress rule for all protocols on source CIDR 0.0.0.0/0.

The VNIC of that compute instance is attached to a Cluster Network that has a stateful ingress rule for all protocols on source CIDR 0.0.0.0/0.

Correct Answer: C

The VNIC of that compute instance is attached to a Network Security Group (NSG) that has a stateful ingress rule for all protocols on source CIDR 0.0.0.0/0. NSG rules can override the Security Lists, and if the NSG allows port 22, the compute instance will still be accessible via SSH despite changes made in the Security Lists.

Discussion

MopoOption: C

If the VNIC of the compute instance is attached to an NSG that has a stateful ingress rule allowing all protocols from the source CIDR 0.0.0.0/0, it means that all incoming traffic, including SSH traffic on port 22, is still permitted regardless of the Security Lists configured at the VCN level. NSG rules take precedence over Security Lists. To ensure that SSH access is completely disabled for the compute instance, the network administrator should review and modify the NSG associated with the compute instance's VNIC to remove the stateful ingress rule allowing SSH traffic.