Q98 — AWS SCS-C02 Ch.1
Question 98 of 100 | ← Chapter 1
While securing the connection between a company’s VPC and its on-premises data center, a security engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following: What action should be performed to allow the ping to work?
- A. In the security group of the EC2 instance, allow inbound ICMP traffic.
- B. In the security group of the EC2 instance, allow outbound ICMP traffic.
- C. In the VPC’s NACL, allow inbound ICMP traffic.
- D. In the VPC’s NACL, allow outbound ICMP traffic. ✓
Correct Answer: D. In the VPC’s NACL, allow outbound ICMP traffic.
Explanation
根据题目描述,ping命令没有返回响应,流日志显示有拒绝的流量。ICMP协议通常用于网络诊断和Echo请求/响应消息。为了允许ping命令正常工作,需要在VPC的网络ACL(NACL)中允许出站ICMP流量。选项D是正确的,因为它涉及在VPC的NACL中允许出站ICMP流量。