SCS-C02 · Question #161
SCS-C02 Question #161: Real Exam Question with Answer & Explanation
The correct answer is B: Check inbound and outbound Network ACL rules, looking for DENY rules. Option B is correct because Network ACLs (NACLs) are stateless subnet-level firewalls that evaluate both inbound and outbound rules separately, and unlike security groups, they support explicit DENY rules - meaning a DENY rule in a NACL can block traffic even when security groups
Question
Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic. Which of the following troubleshooting steps should be performed?
Options
- ACheck inbound and outbound security groups, looking for DENY rules
- BCheck inbound and outbound Network ACL rules, looking for DENY rules
- CReview the rejected packet reason codes in the VPC Flow Logs
- DUse AWS X-Ray to trace the end-to-end application flow
Explanation
Option B is correct because Network ACLs (NACLs) are stateless subnet-level firewalls that evaluate both inbound and outbound rules separately, and unlike security groups, they support explicit DENY rules - meaning a DENY rule in a NACL can block traffic even when security groups allow it. Since the problem is isolated to cross-subnet traffic (not within the same subnet), a NACL on either subnet is the prime suspect.
Why the others are wrong:
- A - Security groups do not have DENY rules; they are allow-only, and the question already confirms valid ALLOW rules exist, so there's nothing to find here.
- C - VPC Flow Logs show accepted/rejected traffic but don't pinpoint why it was rejected or which rule caused it - useful for confirming a problem exists, not for diagnosing NACL vs. SG conflicts efficiently.
- D - AWS X-Ray traces application-level requests (e.g., microservice calls), not network-layer connectivity; it won't surface a NACL block.
Memory tip: Think "SGs = stateful, allow-only; NACLs = stateless, allow AND deny." Any time a question mentions cross-subnet traffic being blocked despite security groups looking clean, immediately suspect NACLs - they operate at the subnet boundary and their stateless nature means you must check both the inbound rule on the destination subnet and the outbound rule on the source subnet.
Topics
Community Discussion
No community discussion yet for this question.