AWS Certified CloudOps Engineer Associate SOA-C03 Practice Question
EC2 instances in a private subnet are unable to connect to a public API over HTTPS. The private subnet's route table directs 0.0.0.0/0 traffic to a NAT gateway. The instances' security group allows outbound TCP port 443. VPC flow logs on the instances' network interfaces show 'REJECT' entries for inbound traffic on destination ports 1024-65535. Which action will restore connectivity without making the instances publicly accessible?
Update the private subnet's network ACL to allow inbound TCP traffic on ports 1024-65535 from 0.0.0.0/0.
Attach an internet gateway to the private subnet and add a 0.0.0.0/0 route to it.
Add an inbound rule for TCP port 443 to the EC2 instances' security group.
Disable source/destination checking on the NAT gateway's elastic network interface.
Because network ACLs are stateless, return traffic must be explicitly allowed. The NAT gateway translates the source instance's IP address, but the return traffic from the API (source port 443) must be able to reach the original instance on the ephemeral port it used to initiate the connection (destination ports 1024-65535). If the private subnet's NACL does not allow inbound traffic on this high port range, the connection fails. This rejection is captured by VPC flow logs. Allowing this inbound ephemeral port range on the private subnet's NACL resolves the issue. Attaching an internet gateway would make the instances public, which violates the requirement. Disabling source/destination check is only relevant for NAT instances, not managed NAT gateways. Security groups are stateful, so they automatically allow return traffic for connections initiated by the instance; no inbound rule is needed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why are network ACLs stateless?
Open an interactive chat with Bash
What is the role of ephemeral ports in network communication?
Open an interactive chat with Bash
How does the NAT gateway facilitate private instance traffic?
Open an interactive chat with Bash
AWS Certified CloudOps Engineer Associate SOA-C03
Networking and Content Delivery
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .