Q5 — AWS ANS-C01 Ch.1
Question 5 of 100 | ← Chapter 1
A company plans to run a computationally intensive data processing application on AWS. The data is highly sensitive. The VPC must have no direct internet access, and the company has applied strict network security to control access. Data scientists will transfer data from the company's on-premises data center to the instances by using an AWS Site-to-Site VPN connection. The on-premises data center uses the network range 172.31.0.0/20 and will use the network range 172.31.16.0/20 in the application VPC. The data scientists report that they can start new instances of the application but that they cannot transfer any data from the on-premises data center. A network engineer enables VPC ow logs and sends a ping to one of the instances to test reachability. The flow logs show the following: The network engineer must recommend a solution that will give the data scientists the ability to transfer data from the on-premises data center. Which solution will meet these requirements?
- A. Modify the security group for the application. Add an inbound rule to allow traffic from the on-premises data center network range to the application.
- B. Modify the network ACLs for the VPC subnet. Add an inbound rule to allow traffic from the on-premises data center network range to the VPC subnet range.
- C. Modify the network ACLs for the VPC subnet. Add an outbound rule to allow traffic from the VPC subnet range to the on-premises data center network range. ✓
- D. Modify the security group for the application. Add an outbound rule to allow traffic from the application to the on-premises data center network range.
Correct Answer: C. Modify the network ACLs for the VPC subnet. Add an outbound rule to allow traffic from the VPC subnet range to the on-premises data center network range.
Explanation
在AWS中,VPC(VirtualPrivateCloud)的网络访问控制主要由安全组(SecurityGroups)和网络访问控制列表(NetworkACLs)管理。安全组主要控制进出实例的流量,而网络ACLs则控制进出子网的流量。由于数据科学家能够从本地数据中心启动应用实例但无法传输数据,问题可能出在子网级别的流量控制上。选项A和D修改的是安全组规则,它们影响的是进出实例的流量,而不是子网间的流量。由于VPC和本地数据中心之间已经建立了Site-to-SiteVPN连接,且实例能够启动,说明实例级别的安全组规则可能不是问题所在。选项B虽然涉及网络ACLs,但添加的是入站规则,而问题在于数据无法从VPC传输到本地数据中心,即需要出站规则。选项C正确,因为它建议修改VPC子网的网络ACLs,添加一个出站规则,允许从VPC子网范围到本地数据中心网络范围的流量。这解决了数据科学家无法从VPC传输数据到本地数据中心的问题。 查看全部