Q59 — AWS SCS-C02 Ch.1
Question 59 of 100 | ← Chapter 1
A systems engineer is troubleshooting the connectivity of a test environment that includes a virtual security appliance deployed inline. In addition to using the virtual security appliance, the development team wants to use security groups and network ACLs to accomplish various security requirements in the environment. What configuration is necessary to allow the virtual security appliance to route the traffic?
- A. Disable network ACLs.  
- B. Configure the security appliance's elastic network interface for promiscuous mode.  
- C. isable the Network Source/Destination check on the security appliance's elastic network interface.   ✓
- D. Place the security appliance in the public subnet with the internet gateway.
Correct Answer: C. isable the Network Source/Destination check on the security appliance's elastic network interface.  
Explanation
虚拟安全设备在云环境中需要处理非本地IP流量时,源/目标检查会阻止此类行为。AWS官方文档明确指出,当启用实例的网络流量转发功能(如NAT、防火墙)时,必须禁用源/目标检查以确保设备能正确处理中转流量。选项B涉及混杂模式,通常用于数据包嗅探而非路由;选项A会破坏安全分层需求;选项D与设备物理位置无关。AWS VPC网络接口的默认安全检查机制阻止非绑定IP的流量,关闭该检查是路由的必要条件。