Q53 — AWS SCS-C02 Ch.1
Question 53 of 100 | ← Chapter 1
Two Amazon EC2 instances in different subnets should be able to connect to each other but cannot. It has been confirmed that other hosts in the same subnets are able to communicate successfully, and that security groups have valid ALLOW rules in place to permit this traffic. Which of the following troubleshooting steps should be performed?
- A. Check inbound and outbound security groups, looking for DENY rules
- B. Check inbound and outbound Network ACL rules, looking for DENY rules ✓
- C. Review the rejected packet reason codes in the VPC Flow Logs
- D. Use AWS X-Ray to trace the end-to-end application
Correct Answer: B. Check inbound and outbound Network ACL rules, looking for DENY rules
Explanation
网络ACL是无状态的,负责控制子网级别的流量进出,必须显式允许入站和出站规则。若两个子网的实例无法通信,但同一子网内正常,且安全组已正确配置,需排查网络ACL是否存在阻止流量的拒绝规则。不同子网可能关联不同的网络ACL,规则顺序或未明确放行相关端口可能导致流量被拒绝。AWS官方文档指出,网络ACL规则按规则号从小到大执行,存在拒绝规则可能覆盖后续允许规则。选项C的VPC流日志虽能记录流量,但直接检查网络ACL更快捷;选项A的安全组已确认允许,选项D涉及应用层跟踪。