AWS Certified Solutions Architect Professional SAP-C02 Practice Question

The correct answer is that the network ACL (NACL) for the public subnet is missing an outbound rule for ephemeral ports. Security groups are stateful, meaning that if inbound traffic is allowed, the corresponding return traffic is automatically permitted. NACLs, however, are stateless. This means that for every inbound request allowed, a corresponding outbound rule must exist to allow the response traffic back to the source. When a client connects to a server, it opens a random, high-numbered port (an ephemeral port, typically in the range of 1024-65535) to receive the return traffic. The public subnet's NACL must explicitly allow outbound traffic destined for this ephemeral port range to permit the web server's response to reach the client. Without this rule, the server's response packets are dropped at the subnet boundary, causing the client to eventually time out.

• Modifying the security group's outbound rules is incorrect because security groups are stateful; return traffic for an allowed inbound connection is automatically permitted without a specific outbound rule.
• Adding an inbound NACL rule for port 443 is not the solution because the scenario states that SYN packets are already reaching the web servers, indicating that inbound traffic is permitted. The issue lies with the return (outbound) traffic.
• Modifying the NACL for the private subnet is incorrect as the problem described is between the internet clients and the web servers in the public subnet, not between the web and application tiers.