Question 21
Domain 3: Infrastructure SecurityWhile securing the connection between a company's VPC and its on-premises data center, a Security Engineer sent a ping command from an on-premises host (IP address 203.0.113.12) to an Amazon EC2 instance (IP address 172.31.16.139). The ping command did not return a response. The flow log in the VPC showed the following: `2 123456789010 eni-1235b8ca 203.0.113.12 172.31.16.139 0 0 1 4 336 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.31.16.139 203.0.113.12 0 0 1 4 336 1432917094 1432917142 REJECT OK`. What action should be performed to allow the ping to work?
Correct answer: D
Explanation
The flow log shows the inbound packet was "ACCEPT" but the return traffic was "REJECT," which means the response was blocked on the way out. Because network ACLs are stateless, ICMP must be allowed in both directions, so allowing outbound ICMP in the VPC NACL lets the echo reply return and the ping succeed.
Why each option is right or wrong
A. In the security group of the EC2 instance, allow inbound ICMP traffic.
Security groups are stateful and automatically allow return traffic for permitted inbound connections.
B. In the security group of the EC2 instance, allow outbound ICMP traffic.
Outbound security-group rules control initiated egress, not the blocked return path shown in the flow log.
C. In the VPC's NACL, allow inbound ICMP traffic.
Inbound NACL rules control traffic entering the subnet; the reply packet was rejected on egress.
D. In the VPC's NACL, allow outbound ICMP traffic.
The VPC Flow Log shows the packet from 203.0.113.12 to 172.31.16.139 was ACCEPTed, but the return packet from 172.31.16.139 back to 203.0.113.12 was REJECTed, so the failure is on egress from the instance subnet rather than ingress. Under Amazon VPC network ACL behavior, rules are stateless and evaluated separately for each direction, so ICMP echo-reply traffic must be explicitly permitted outbound in the NACL; otherwise the reply is dropped and ping cannot complete.