nerdexam
ExamsSOA-C02Questions#413
AmazonAmazon

SOA-C02 · Question #413

SOA-C02 Question #413: Real Exam Question with Answer & Explanation

The correct answer is A: The SysOps administrator did not create an outbound rule that allows ephemeral port return. Why A is correct: Network ACLs are stateless, meaning they evaluate inbound and outbound rules independently. When a client makes an HTTP request to the server, the response traffic returns on ephemeral (short-lived) ports (typically 1024–65535), not port 80. Since the new NACL o

Submitted by certguy· Mar 30, 2026Networking and Content Delivery

Question

A SysOps administrator is creating a simple, public-facing website running on Amazon EC2. The SysOps administrator created the EC2 instance in an existing public subnet and assigned an Elastic IP address to the instance. Next, the SysOps administrator created and applied a new security group to the instance to allow incoming HTTP traffic from 0.0.0.0/0. Finally, the SysOps administrator created a new network ACL and applied it to the subnet to allow incoming HTTP traffic from 0.0.0.0/0. However, the website cannot be reached from the internet. What is the cause of this issue?

Options

  • AThe SysOps administrator did not create an outbound rule that allows ephemeral port return
  • BThe SysOps administrator did not create an outbound rule in the security group that allows HTTP
  • CThe Elastic IP address assigned to the EC2 instance has changed.
  • DThere is an additional network ACL associated with the subnet that includes a rule that denies

Explanation

Why A is correct: Network ACLs are stateless, meaning they evaluate inbound and outbound rules independently. When a client makes an HTTP request to the server, the response traffic returns on ephemeral (short-lived) ports (typically 1024–65535), not port 80. Since the new NACL only allows inbound HTTP (port 80) but has no outbound rule permitting return traffic on ephemeral ports, response packets are dropped.

Why the distractors are wrong:

  • B is wrong because security groups are stateful - if inbound HTTP is allowed, the return traffic is automatically permitted without an explicit outbound rule.
  • C is wrong because Elastic IP addresses are static by design and do not change unless manually reassigned or released.
  • D is wrong because the question states a new NACL was created and applied; there is no mention of a conflicting existing NACL, and the scenario provides a clear root cause without needing to invent one.

Memory tip: Use the acronym NACL = Not Automatic, Check Levels - NACLs are stateless so you must manually add rules at both inbound and outbound levels, including ephemeral port ranges (1024–65535) for return traffic. Security groups, by contrast, are stateful and handle return traffic automatically.

Topics

#Network ACLs#Security Groups#Ephemeral Ports#EC2 Networking

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full SOA-C02 PracticeBrowse All SOA-C02 Questions